diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index 73131af1a9..16e818ee4d 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Malware Persistence Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, WMImplant Hack Tool, Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell EncodedCommand, FromBase64String Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, Invoke-TheHash Commandlets"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Disable Task Manager Through Registry Key, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Powershell AMSI Bypass, Netsh Allowed Python Program, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, CertOC Loading Dll"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Powershell Web Request, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 8ec34f5908..428ea7f5dc 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, Aspnet Compiler, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, Credentials Extraction, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, SSH Tunnel Traffic, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SSH X11 Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Setuid Or Setgid Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Many Downloads From Several Binaries, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, PowerShell Download From URL, Phorpiex DriveMgr Command, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Aspnet Compiler, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Credentials Extraction, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, SSH Tunnel Traffic, Socat Relaying Socket, Socat Reverse Shell Detection, SSH X11 Forwarding, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, Many Downloads From Several Binaries, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index 0f4844c560..b0c4b91964 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Citrix NetScaler (ADC) Actions Blocked"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Citrix NetScaler (ADC) Actions Blocked"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 7bd5b5732a..f05dc87847 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, WithSecure Elements Critical Severity, PowerShell Download From URL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Netsh RDP Port Forwarding, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Tampering Detected, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Login Brute-Force Successful On SentinelOne EDR Management Console, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, WithSecure Elements Critical Severity, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Login Brute-Force Successful On SentinelOne EDR Management Console, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, WithSecure Elements Critical Severity, Sysmon Windows File Block Executable"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Suspicious desktop.ini Action, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, WithSecure Elements Critical Severity, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Microsoft Defender Antivirus Tampering Detected, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, WithSecure Elements Critical Severity, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
index aca32f0c02..dfe2a1355f 100644
--- a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index 9047746fe3..614c2305de 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Google Workspace External Sharing, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation, Google Workspace Account Warning"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Suspended, Google Workspace User Deletion, Google Workspace Admin Deletion"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Google Workspace Blocked Sender"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Google Workspace Login Brute-Force"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Google Workspace External Sharing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation, Google Workspace Account Warning"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace Admin Deletion, Google Workspace User Suspended"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Google Workspace Blocked Sender, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Google Workspace Login Brute-Force"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace Password Change, Google Workspace MFA changed"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index 7049c5d44f..a2fad70a5a 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Microsoft Defender XDR Endpoint Alert, ZIP LNK Infection Chain, Microsoft Defender XDR Office 365 Alert, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Microsoft Defender XDR Cloud App Security Alert, IcedID Execution Using Excel, HTA Infection Chains, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender XDR Alert, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, ISO LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, Disabling SmartScreen Via Registry, Blue Mockingbird Malware, FlowCloud Malware, NetNTLM Downgrade Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Mshta Suspicious Child Process, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, Microsoft Defender XDR Endpoint Alert, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Microsoft Defender XDR Office 365 Alert, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender XDR Cloud App Security Alert, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, Microsoft Defender XDR Alert, WMIC Uninstall Product, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Suspicious Driver Loaded, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, NetNTLM Downgrade Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Winword wrong parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Winword wrong parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Microsoft Defender XDR Endpoint Alert, PsExec Process, Taskhost Wrong Parent, Microsoft Defender XDR Office 365 Alert, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Microsoft Defender XDR Cloud App Security Alert, Windows Update LolBins, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Login Brute-Force Successful On SentinelOne EDR Management Console, Winword wrong parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Wininit Wrong Parent, Microsoft Defender XDR Alert, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Microsoft Defender XDR Cloud App Security Alert, Microsoft Defender XDR Alert, Download Files From Suspicious TLDs, HTA Infection Chains, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, ISO LNK Infection Chain, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Endpoint Alert, IcedID Execution Using Excel, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, Microsoft Defender XDR Cloud App Security Alert, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Interactive Terminal Spawned via Python, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender XDR Alert, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, Microsoft Defender XDR Office 365 Alert, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Microsoft Defender XDR Endpoint Alert, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Spawning Script, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchindexer Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchindexer Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Microsoft Defender XDR Alert, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchindexer Wrong Parent, Wininit Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Microsoft Defender XDR Office 365 Alert, Smss Wrong Parent, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender XDR Endpoint Alert, Exfiltration Via Pscp, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index d11cb694c3..6b08d7d349 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index 5ee7d80baf..3c6088a84d 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Trend Micro Apex One Data Loss Prevention Alert, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Trend Micro Apex One Malware Alert, ISO LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Trend Micro Apex One Data Loss Prevention Alert, Suspicious Taskkill Command, Socat Reverse Shell Detection, Trend Micro Apex One Malware Alert, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Package Manager Alteration, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Cookies Deletion, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Trend Micro Apex One Data Loss Prevention Alert, Exfiltration Via Pscp, Trend Micro Apex One Malware Alert, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Enabling Restricted Admin Mode, Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Suspicious desktop.ini Action, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Trend Micro Apex One Malware Alert, Microsoft Office Creating Suspicious File, HTA Infection Chains, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Trend Micro Apex One Data Loss Prevention Alert, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, Trend Micro Apex One Malware Alert, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Trend Micro Apex One Data Loss Prevention Alert, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Trend Micro Apex One Malware Alert, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
index 142521e246..dedb40b3ca 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 7f5feddac0..1891cf2d4a 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Malware Persistence Registry Key"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Custom Rule Alert, Download Files From Suspicious TLDs, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Agent Disabled, ZIP LNK Infection Chain, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), HTA Infection Chains, SentinelOne EDR Threat Mitigation Report Quarantine Success, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Not Mitigated, Login Failed Brute-Force On SentinelOne EDR Management Console, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR User Failed To Log In To The Management Console, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, ISO LNK Infection Chain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Custom Rule Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Agent Disabled, Bloodhound and Sharphound Tools Usage, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR SSO User Added, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, SentinelOne EDR Threat Mitigation Report Quarantine Success, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Not Mitigated, Socat Relaying Socket, Mustang Panda Dropper, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Login Failed Brute-Force On SentinelOne EDR Management Console, Lazarus Loaders, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Login Brute-Force Successful On SentinelOne EDR Management Console, PowerShell Invoke Expression With Registry, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Kill Success, WMIC Uninstall Product, SentinelOne EDR User Failed To Log In To The Management Console, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Custom Rule Alert, SolarWinds Wrong Child Process, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), PsExec Process, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Agent Disabled, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), Usage Of Sysinternals Tools, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Not Mitigated, Login Failed Brute-Force On SentinelOne EDR Management Console, OneNote Suspicious Children Process, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR User Failed To Log In To The Management Console, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, WMImplant Hack Tool, Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell EncodedCommand, FromBase64String Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Suspicious desktop.ini Action, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled, Download Files From Suspicious TLDs, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, HTA Infection Chains, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Detected (Malicious), Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Kill Success, Cobalt Strike Default Beacons Names, SentinelOne EDR Threat Mitigation Report Remediate Success, ISO LNK Infection Chain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Disable Task Manager Through Registry Key, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, WMIC Uninstall Product, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Forwarding, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Powershell AMSI Bypass, Netsh Allowed Python Program, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, QakBot Process Creation, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Malicious Threat Not Mitigated, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled, WMIC Uninstall Product, MalwareBytes Uninstallation, SentinelOne EDR User Logged In To The Management Console, Powershell Web Request, SentinelOne EDR User Failed To Log In To The Management Console, Suspicious Taskkill Command, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Threat Detected (Suspicious), Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SquirrelWaffle Malspam Execution Loading DLL, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Custom Rule Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Login Failed Brute-Force On SentinelOne EDR Management Console, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, SentinelOne EDR Threat Mitigation Report Quarantine Success, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Microsoft Defender Antivirus Exclusion Command, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Remediate Success, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, Possible Malicious File Double Extension, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Quarantine Failed, PsExec Process, SolarWinds Wrong Child Process, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Custom Rule Alert, Usage Of Procdump With Common Arguments, SentinelOne EDR Threat Detected (Malicious), Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Remediate Success"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Powershell Web Request, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
index 5e5b75f2f5..ab56be4ac1 100644
--- a/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x 1Password EPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x 1Password EPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 3dffb4e781..50e4edf2d3 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index bc3c8a5984..2bbc0c50c0 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Exploit For CVE-2015-1641, ZIP LNK Infection Chain, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, ISO LNK Infection Chain, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Mshta Suspicious Child Process, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Explorer Wrong Parent, Winword wrong parent, SolarWinds Wrong Child Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Explorer Wrong Parent, Winword wrong parent, SolarWinds Wrong Child Process, New Service Creation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Winword wrong parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Winword wrong parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process, Windows Update LolBins"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, HTA Infection Chains, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, PowerShell Download From URL, Phorpiex DriveMgr Command, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Spawning Script, Mustang Panda Dropper"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Wrong Child Process, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Wrong Child Process, Windows Update LolBins, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index ae4a36f4fb..1b7ef66fb2 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, ISO LNK Infection Chain, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, Disabling SmartScreen Via Registry, Blue Mockingbird Malware, FlowCloud Malware, NetNTLM Downgrade Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Mshta Suspicious Child Process, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Suspicious Driver Loaded, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, NetNTLM Downgrade Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Winword wrong parent, Wmiprvse Wrong Parent, New Service Creation, Svchost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Winword wrong parent, Wmiprvse Wrong Parent, New Service Creation, Svchost Wrong Parent"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Windows Update LolBins, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cobalt Strike DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, HTA Infection Chains, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Interactive Terminal Spawned via Python, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Spawning Script, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchindexer Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchindexer Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Exfiltration Via Pscp, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Koadic MSHTML Command, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index ec30996320..4f6925731c 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 855a302fca..52c3bc10d2 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel, Password Change Brute-Force On AzureAD, RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel, Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Token Issuer Anomaly"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Token Issuer Anomaly"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046)"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool, Authentication Impossible Travel, Password Change Brute-Force On AzureAD"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication, Authentication Impossible Travel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Anonymous IP, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Unfamiliar Features"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Anonymous IP, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Unfamiliar Features"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046)"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index a76854366f..8cac830c51 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Suspicious File Name, Socat Reverse Shell Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
index de712945b0..b98202cfd4 100644
--- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index 00bb6b07b9..7517a2ce69 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Malware Persistence Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, WMImplant Hack Tool, Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell EncodedCommand, FromBase64String Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, Invoke-TheHash Commandlets"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Disable Task Manager Through Registry Key, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Powershell AMSI Bypass, Netsh Allowed Python Program, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, CertOC Loading Dll"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Powershell Web Request, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
index 5cb9b547b0..7c9da78a50 100644
--- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index 7bc599cd86..41c90cc30b 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection, ZIP LNK Infection Chain, Explorer Process Executing HTA File, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Informational Severity, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, HTA Infection Chains, CrowdStrike Falcon Intrusion Detection High Severity, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Identity Protection Detection High Severity, Malspam Execution Registering Malicious DLL, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Intrusion Detection Low Severity, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, ISO LNK Infection Chain, CrowdStrike Falcon Intrusion Detection Critical Severity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, CrowdStrike Falcon Intrusion Detection Medium Severity, XSL Script Processing And SquiblyTwo Attack, CrowdStrike Falcon Intrusion Detection, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Identity Protection Detection Medium Severity, Suspicious Taskkill Command, CrowdStrike Falcon Identity Protection Detection Critical Severity, Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Informational Severity, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, CrowdStrike Falcon Intrusion Detection High Severity, Phorpiex DriveMgr Command, QakBot Process Creation, CrowdStrike Falcon Identity Protection Detection High Severity, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, CrowdStrike Falcon Identity Protection Detection Informational Severity, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL, CrowdStrike Falcon Intrusion Detection Critical Severity"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Searchprotocolhost Child Found, CrowdStrike Falcon Intrusion Detection, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Windows Update LolBins, CrowdStrike Falcon Intrusion Detection High Severity, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, CrowdStrike Falcon Identity Protection Detection Informational Severity, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, Svchost Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Informational Severity, Cryptomining, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, CrowdStrike Falcon Mobile Detection Critical Severity, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Low Severity, Dynamic DNS Contacted, CrowdStrike Falcon Mobile Detection High Severity, CrowdStrike Falcon Mobile Detection Medium Severity, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Suspicious desktop.ini Action, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, HTA Infection Chains, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, CrowdStrike Falcon Identity Protection Detection Medium Severity, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Identity Protection Detection Critical Severity, Explorer Process Executing HTA File, ISO LNK Infection Chain, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Low Severity, IcedID Execution Using Excel, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection High Severity, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Intrusion Detection"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Informational Severity, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, CrowdStrike Falcon Identity Protection Detection Low Severity, WMIC Uninstall Product, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Critical Severity, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, CrowdStrike Falcon Identity Protection Detection High Severity, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Identity Protection Detection Informational Severity, Socat Relaying Socket, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, CrowdStrike Falcon Identity Protection Detection Medium Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, CrowdStrike Falcon Identity Protection Detection Critical Severity, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, CrowdStrike Falcon Intrusion Detection Medium Severity, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, CrowdStrike Falcon Intrusion Detection Low Severity, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Office Spawning Script, Mustang Panda Dropper, CrowdStrike Falcon Intrusion Detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Informational Severity, Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, CrowdStrike Falcon Identity Protection Detection Medium Severity, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, CrowdStrike Falcon Identity Protection Detection Critical Severity, Winword wrong parent, Smss Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, CrowdStrike Falcon Intrusion Detection Low Severity, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, CrowdStrike Falcon Intrusion Detection High Severity, Csrss Wrong Parent, CrowdStrike Falcon Intrusion Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, CMSTP UAC Bypass via COM Object Access, Shell PID Injection"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, CrowdStrike Falcon Mobile Detection Critical Severity, CrowdStrike Falcon Mobile Detection Medium Severity, CrowdStrike Falcon Mobile Detection High Severity, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Low Severity, CrowdStrike Falcon Mobile Detection Informational Severity, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
index 81708f65d7..830b4c6c3d 100644
--- a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Socat Relaying Socket, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index c0b7e7c02f..e6090e513b 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index c8a18d3a7c..ef70ccc750 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, WMI Event Subscription, COM Hijack Via Sdclt"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Powershell Winlogon Helper DLL, Kernel Module Alteration, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR High Threat, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Hlai Engine Detection, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HTA Infection Chains, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, HarfangLab EDR Low Threat, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, ISO LNK Infection Chain, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, SAM Registry Hive Handle Request, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, DPAPI Domain Backup Key Extraction, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, HackTools Suspicious Names, Malicious Service Installations, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, LSASS Access From Non System Account, Rubeus Tool Command-line, Credential Dumping By LaZagne, Process Memory Dump Using Comsvcs, DCSync Attack, LSASS Memory Dump File Creation, Transfering Files With Credential Data Via Network Shares, Mimikatz LSASS Memory Access, Active Directory Database Dump Via Ntdsutil, HackTools Suspicious Process Names In Command Line, SAM Registry Hive Handle Request, Suspicious CommandLine Lsassy Pattern, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, WCE wceaux.dll Creation, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, Ursnif Registry Key, RDP Port Change Using Powershell, Blue Mockingbird Malware, FlowCloud Malware, Chafer (APT 39) Activity, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Disabling SmartScreen Via Registry, OceanLotus Registry Activity, Disable Security Events Logging Adding Reg Key MiniNt, Disable Workstation Lock, DHCP Callout DLL Installation, Remote Registry Management Using Reg Utility, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, TrustedInstaller Impersonation, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Python Opening Ports, Microsoft Malware Protection Engine Crash, Suspect Svchost Memory Access, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, TrustedInstaller Impersonation, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Execution From Suspicious Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, In-memory PowerShell, XSL Script Processing And SquiblyTwo Attack, Malicious PowerShell Keywords, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Detection of default Mimikatz banner, MalwareBytes Uninstallation, FromBase64String Command Line, Invoke-TheHash Commandlets, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected, Turla Named Pipes, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Suspicious DLL Loaded Via Office Applications, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Scripting In A WMI Consumer, Microsoft Defender Antivirus Disabled Base64 Encoded, Sekoia.io EICAR Detection, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, Aspnet Compiler, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, WMI DLL Loaded Via Office, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Windows Script Execution, WMIC Uninstall Product, PowerShell NTFS Alternate Data Stream, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Alternate PowerShell Hosts Pipe"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, User Added to Local Administrators, Mimikatz Basic Commands, Active Directory Replication User Backdoor, Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Antivirus Password Dumper Detection, Audit CVE Event, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Remote Access Tool Domain"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, In-memory PowerShell, Detection of default Mimikatz banner, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Turla Named Pipes, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Alternate PowerShell Hosts Pipe"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Malicious Named Pipe, Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Process Hollowing Detection, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Process Herpaderping, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, APT29 Fake Google Update Service Install, Taskhost Wrong Parent, Chafer (APT 39) Activity, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, StoneDrill Service Install, Explorer Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Cobalt Strike Default Service Creation Usage, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, APT29 Fake Google Update Service Install, Taskhost Wrong Parent, Chafer (APT 39) Activity, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, StoneDrill Service Install, Explorer Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Cobalt Strike Default Service Creation Usage, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Eventlog Cleared, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, Setuid Or Setgid Usage, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR High Threat, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Python Opening Ports, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Usage Of Sysinternals Tools, Metasploit PSExec Service Creation, Suspicious PsExec Execution, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Smbexec.py Service Installation, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Windows Suspicious Service Creation, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Usage Of Sysinternals Tools, Windows Update LolBins, Metasploit PSExec Service Creation, Suspicious PsExec Execution, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Check Point Harmony Mobile Application Forbidden, Smbexec.py Service Installation, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Windows Suspicious Service Creation, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Unsigned Image Loaded Into LSASS Process, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, Process Memory Dump Using Createdump, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Credential Dumping-Tools Common Named Pipes, LSASS Access From Non System Account, Credential Dumping By LaZagne, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, LSASS Memory Dump File Creation, Dumpert LSASS Process Dumper, Credential Dump Tools Related Files, Lsass Access Through WinRM, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Possible Replay Attack, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, Rubeus Tool Command-line, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, Suspicious TGS requests (Kerberoasting)"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Narrator Feedback-Hub Persistence, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, Netscan Share Access Artefact, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration, Reconnaissance Commands Activities, Remote Enumeration Of Lateral Movement Groups, Remote Privileged Group Enumeration, Discovery Commands Correlation"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, MMC20 Lateral Movement, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Denied Access To Remote Desktop, Admin Share Access, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell, RDP Port Change Using Powershell, Cobalt Strike Default Service Creation Usage, Lsass Access Through WinRM"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Account Added To A Security Enabled Group"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Cryptomining, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Sliver DNS Beaconing, Many Downloads From Several Binaries, Python HTTP Server"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, SSH Tunnel Traffic, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SSH X11 Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Werfault DLL Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Secure Deletion With SDelete"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Cisco Umbrella Threat Detected, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Audit CVE Event, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, HTML Smuggling Suspicious Usage, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Njrat Registry Values, Narrator Feedback-Hub Persistence, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, Suspicious Outlook Child Process, HarfangLab EDR High Threat, Sysmon Windows File Block Executable, HarfangLab EDR Low Threat, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HTA Infection Chains, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, ISO LNK Infection Chain, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Hlai Engine Detection, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, HarfangLab EDR Medium Threat, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Malicious Service Installations, Copying Sensitive Files With Credential Data, Dumpert LSASS Process Dumper, LSASS Access From Non System Account, Transfering Files With Credential Data Via Network Shares, LSASS Memory Dump, Wdigest Enable UseLogonCredential, Password Dumper Activity On LSASS, Active Directory Replication from Non Machine Account, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, LSASS Memory Dump File Creation, Active Directory Database Dump Via Ntdsutil, Grabbing Sensitive Hives Via Reg Utility, Mimikatz LSASS Memory Access, HackTools Suspicious Names, Lsass Access Through WinRM, NTDS.dit File Interaction Through Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Rdrleakdiag, DPAPI Domain Backup Key Extraction, Credential Dumping By LaZagne, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Suspicious SAM Dump, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, DCSync Attack, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, RedMimicry Winnti Playbook Dropped File, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool, HackTools Suspicious Process Names In Command Line, Unsigned Image Loaded Into LSASS Process, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, OceanLotus Registry Activity, Remote Registry Management Using Reg Utility, Blue Mockingbird Malware, Chafer (APT 39) Activity, Suspicious New Printer Ports In Registry, Disable Security Events Logging Adding Reg Key MiniNt, Disable Workstation Lock, FlowCloud Malware, NetNTLM Downgrade Attack, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, RDP Port Change Using Powershell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI DLL Loaded Via Office, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Python Opening Ports, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspect Svchost Memory Access, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Microsoft Defender Antivirus Tampering Detected, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Specific, In-memory PowerShell, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, PowerShell Malicious PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Turla Named Pipes, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious Scripting In A WMI Consumer, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Aspnet Compiler, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Threat Detected, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Mustang Panda Dropper"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Active Directory User Backdoors, Active Directory Replication User Backdoor, Active Directory Delegate To KRBTGT Service, Privileged AD Builtin Group Modified, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, User Added to Local Administrators"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Suspicious New Printer Ports In Registry, Antivirus Password Dumper Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Remote Access Tool Domain, Antivirus Password Dumper Detection"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Bloodhound and Sharphound Tools Usage, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Specific, In-memory PowerShell, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Turla Named Pipes, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dynwrapx Module Loading, Cobalt Strike Named Pipes, Spoolsv Wrong Parent, Process Hollowing Detection, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Process Herpaderping, Malicious Named Pipe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Cobalt Strike Default Service Creation Usage, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, StoneDrill Service Install, APT29 Fake Google Update Service Install, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Cobalt Strike Default Service Creation Usage, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, StoneDrill Service Install, APT29 Fake Google Update Service Install, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, Eventlog Cleared, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Dynwrapx Module Loading, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Setuid Or Setgid Usage, HTML Smuggling Suspicious Usage, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, HarfangLab EDR High Threat, Sysmon Windows File Block Executable, HarfangLab EDR Low Threat, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Critical Threat, HarfangLab EDR Hlai Engine Detection, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, HarfangLab EDR Medium Threat, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Python Opening Ports"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, PsExec Process, Lsass Wrong Parent, Smbexec.py Service Installation, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Metasploit PSExec Service Creation, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Credential Dumping Tools Service Execution, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer, Windows Suspicious Service Creation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, PsExec Process, Lsass Wrong Parent, Smbexec.py Service Installation, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Metasploit PSExec Service Creation, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Credential Dumping Tools Service Execution, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, Check Point Harmony Mobile Application Forbidden, Microsoft Defender Antivirus Threat Detected, Suspicious Commands From MS SQL Server Shell, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer, Windows Suspicious Service Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, LSASS Access From Non System Account, Credential Dumping By LaZagne, Windows Credential Editor Registry Key, LSASS Memory Dump, LSASS Memory Dump File Creation, Mimikatz LSASS Memory Access, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Kerberos Ticket, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, Suspicious TGS requests (Kerberoasting), Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, TUN/TAP Driver Installation, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Netscan Share Access Artefact, PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, Reconnaissance Commands Activities, AD User Enumeration, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, Discovery Commands Correlation, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, MMC20 Lateral Movement, Smbexec.py Service Installation, Lsass Access Through WinRM, MMC Spawning Windows Shell, Protected Storage Service Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Denied Access To Remote Desktop, RDP Login From Localhost, Admin Share Access, RDP Port Change Using Powershell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Account Added To A Security Enabled Group, User Added to Local Administrators"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Suspicious LDAP-Attributes Used, Python HTTP Server, Cryptomining, Suspicious Windows DNS Queries, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Many Downloads From Several Binaries, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Credentials Extraction, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, SSH Tunnel Traffic, Socat Relaying Socket, Socat Reverse Shell Detection, SSH X11 Forwarding, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Putty Sessions Listing"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Audit CVE Event, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, TOR Usage Generic Rule"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index 6844bead3f..02f2cfdabc 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index f1baefd23b..db28456bc7 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index dc58909c83..31ecd5fa2a 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, Disabling SmartScreen Via Registry, Blue Mockingbird Malware, FlowCloud Malware, NetNTLM Downgrade Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, NetNTLM Downgrade Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Windows Update LolBins, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Login Brute-Force Successful On SentinelOne EDR Management Console, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Threat Detected, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Spawning Script, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Microsoft Defender Antivirus Tampering Detected, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Malspam Execution Registering Malicious DLL, Microsoft Defender Antivirus Threat Detected, Sysmon Windows File Block Executable, IcedID Execution Using Excel, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Office Creating Suspicious File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index 71a9b86ca5..ed5bf716de 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Dynamic DNS Contacted, Sliver DNS Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, TrevorC2 HTTP Communication, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index 92cf917dc9..f48de8daa8 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Malware Persistence Registry Key"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, WMImplant Hack Tool, Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell EncodedCommand, FromBase64String Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Disable Task Manager Through Registry Key, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, WMIC Uninstall Product, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Forwarding, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Powershell AMSI Bypass, Netsh Allowed Python Program, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, CertOC Loading Dll"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Powershell Web Request, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Credentials Extraction, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Python HTTP Server"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index 787cf69c5b..124ac39b56 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Suspicious File Name, Socat Reverse Shell Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
index 86f468d7b6..6c39c15d0d 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Exploit For CVE-2015-1641, ZIP LNK Infection Chain, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, ISO LNK Infection Chain, ESET Protect Intrusion Detection"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, Suspicious Outlook Child Process, Socat Relaying Socket, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, ESET Protect Malware, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, HTA Infection Chains, ESET Protect Intrusion Detection, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Sekoia.io EICAR Detection, QakBot Process Creation, Socat Relaying Socket, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Spawning Script"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, ESET Protect Malware"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index 9fcadcf510..8e47866e2a 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index 9e50202802..5c41f922bf 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Cryptomining, Cobalt Strike HTTP Default POST Beaconing, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Cobalt Strike DNS Beaconing, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Sliver DNS Beaconing, Potential LokiBot User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
index c7230f017b..3e3edc6137 100644
--- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index 3fc7b2bf66..b67bc09314 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index add9f237e1..247640b903 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, WMI Event Subscription, COM Hijack Via Sdclt"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Cron Files Alteration, Remote Task Creation Via ATSVC Named Pipe, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR High Threat, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Hlai Engine Detection, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HTA Infection Chains, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, HarfangLab EDR Low Threat, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, ISO LNK Infection Chain, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Process Trace Alteration, HackTools Suspicious Names, Malicious Service Installations, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Transfering Files With Credential Data Via Network Shares, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Chafer (APT 39) Activity, OceanLotus Registry Activity, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Remote Registry Management Using Reg Utility, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, RDP Sensitive Settings Changed, RDP Port Change Using Powershell, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, TrustedInstaller Impersonation, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Defender Deactivation Using PowerShell Script"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Package Manager Alteration, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, TrustedInstaller Impersonation, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Windows Defender Deactivation Using PowerShell Script"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Malicious PowerShell Keywords, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, Aspnet Compiler, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, PowerShell NTFS Alternate Data Stream, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Antivirus Password Dumper Detection, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Remote Access Tool Domain"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Chafer (APT 39) Activity, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Chafer (APT 39) Activity, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Eventlog Cleared, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Suspicious Kerberos Ticket, Rubeus Register New Logon Process, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, Netscan Share Access Artefact, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Shell PID Injection, PowerView commandlets 2, AD User Enumeration, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, Remote Enumeration Of Lateral Movement Groups, Remote Privileged Group Enumeration, Discovery Commands Correlation"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Suspicious PsExec Execution, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Smbexec.py Service Installation, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Windows Update LolBins, Suspicious PsExec Execution, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Smbexec.py Service Installation, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cobalt Strike DNS Beaconing, Cryptomining, Chafer (APT 39) Activity, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Potential Bazar Loader User-Agents, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR High Threat, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, MMC20 Lateral Movement, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Admin Share Access, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell, RDP Port Change Using Powershell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, Credentials Extraction, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement Remote Named Pipe, Admin Share Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Enabling Restricted Admin Mode, Privileged AD Builtin Group Modified, User Added to Local Administrators, Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious Hostname, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Successful Brute Force Login From Internet, RSA SecurID Failed Authentification"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, HarfangLab EDR High Threat, Sysmon Windows File Block Executable, HarfangLab EDR Low Threat, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HTA Infection Chains, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, ISO LNK Infection Chain, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Hlai Engine Detection, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, HarfangLab EDR Medium Threat, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Malicious Service Installations, Copying Sensitive Files With Credential Data, Transfering Files With Credential Data Via Network Shares, Wdigest Enable UseLogonCredential, Password Dumper Activity On LSASS, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Impacket Secretsdump.py Tool, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, DHCP Callout DLL Installation, Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, Remote Registry Management Using Reg Utility, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Chafer (APT 39) Activity, Suspicious New Printer Ports In Registry, RDP Port Change Using Powershell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Microsoft Defender Antivirus Tampering Detected, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, PowerShell Malicious PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Aspnet Compiler, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Threat Detected, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Suspicious New Printer Ports In Registry, Antivirus Password Dumper Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Remote Access Tool Domain, Antivirus Password Dumper Detection"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, Eventlog Cleared, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, CMSTP UAC Bypass via COM Object Access, Shell PID Injection, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Rubeus Register New Logon Process, Possible Replay Attack, Suspicious Kerberos Ticket"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Netscan Share Access Artefact, PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, AD User Enumeration, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhost Wrong Parent, Malicious Service Installations, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Smbexec.py Service Installation, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhost Wrong Parent, Malicious Service Installations, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Smbexec.py Service Installation, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, Suspicious Commands From MS SQL Server Shell, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Cobalt Strike DNS Beaconing, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Python HTTP Server, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Potential LokiBot User-Agent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR High Threat, Sysmon Windows File Block Executable, HarfangLab EDR Low Threat, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Critical Threat, HarfangLab EDR Hlai Engine Detection, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, HarfangLab EDR Medium Threat, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, MMC20 Lateral Movement, Smbexec.py Service Installation, MMC Spawning Windows Shell, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, Admin Share Access, RDP Port Change Using Powershell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Remote Registry Management Using Reg Utility, Credentials Extraction, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Suspicious Windows DNS Queries, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Password Dumper Activity On LSASS, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation, AD User Enumeration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, User Added to Local Administrators"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, Smbexec.py Service Installation, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SSH Authorized Key Alteration, Add User to Privileged Group, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, User Added to Local Administrators"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, Suspicious Hostname, TOR Usage Generic Rule"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Correlation Internal Ntlm Password Spraying, Successful Brute Force Login From Internet"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292, Successful Brute Force Login From Internet"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index 46cb121f28..a9d8cdcb03 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index fd0ffd9d50..d0308bf5d7 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection, Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Blocked, Download Files From Suspicious TLDs, Sophos EDR CorePUA Clean, Sophos EDR CorePUA Detection, Sophos EDR Application Detected"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
index 95af3b34dc..b4b6e5ff87 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 13bdb28a0b..de1fbbce9e 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Suspicious File Name, Socat Reverse Shell Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Potential LokiBot User-Agent"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index 21bc96e291..11f43e0068 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Cron Files Alteration, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Exploit For CVE-2015-1641, ZIP LNK Infection Chain, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, ISO LNK Infection Chain, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Dumpert LSASS Process Dumper, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, Disabling SmartScreen Via Registry, RDP Port Change Using Powershell, Blue Mockingbird Malware, FlowCloud Malware, NetNTLM Downgrade Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, TrustedInstaller Impersonation, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Package Manager Alteration, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, TrustedInstaller Impersonation, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Malicious PowerShell Keywords, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, Aspnet Compiler, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, PowerShell NTFS Alternate Data Stream, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Usage Of Sysinternals Tools, Windows Update LolBins, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, RDP Port Change Using Powershell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, Credentials Extraction, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Dumpert LSASS Process Dumper, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, Suspicious DNS Child Process, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, HTA Infection Chains, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry, RDP Port Change Using Powershell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, PowerShell Malicious PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Aspnet Compiler, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, CMSTP UAC Bypass via COM Object Access, Shell PID Injection, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Lsass Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Port Change Using Powershell, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Credentials Extraction, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21972 VMware vCenter, Suspicious DNS Child Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SSH Authorized Key Alteration, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 847cb70f4b..6b2f24ae34 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Interactive Terminal Spawned via Python, Socat Relaying Socket, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Cobalt Strike Default Beacons Names, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Cleaned"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 943177ba0a..43b7a8910e 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index d0a84825d8..b8b88abbc3 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
index 211e3a9257..773a105bc2 100644
--- a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid High Severity Alert, Tenable Identity Exposure / Alsid Critical Severity Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid Critical Severity Alert, Tenable Identity Exposure / Alsid High Severity Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index f846cc7394..8ddee3409e 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, Cobalt Strike HTTP Default POST Beaconing, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Suspicious File Name, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Sliver DNS Beaconing, Potential LokiBot User-Agent"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index 69dcd739f4..98fc8013f8 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cato Networks SASE High Risk Alert"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Cato Networks SASE High Risk Alert, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index 908cfa9c89..067fb54808 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Phishing But Allowed, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Spam But Allowed, Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Malware But Allowed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
index 93afebff71..1c1cc5c7ea 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, LokiBot Default C2 URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Alert High Severity Sesame it Jizo NDR"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, LokiBot Default C2 URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Alert High Severity Sesame it Jizo NDR"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index 3e2f52794b..42a3c44cef 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index bcec542498..7f6ca40230 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
index b13b35c6b7..0f8a974fe7 100644
--- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
index 087232e72a..3674aff155 100644
--- a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Load Balancing [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Load Balancing [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
index 3e1e80f0b2..a367792153 100644
--- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 2abdd46a78..27bb848929 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 87f65d75f8..5fa1cd4b59 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Fortinet FortiGate Firewall Successful External Login"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection, Suspicious File Name, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Sliver DNS Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Fortinet FortiGate Firewall Successful External Login, Fortinet FortiGate Firewall Login In Failure, RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Added To A Security Enabled Group, Fortinet FortiGate Firewall Successful External Login, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Sliver DNS Beaconing, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike DNS Beaconing, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure, Login Brute-Force On Firewall, RSA SecurID Failed Authentification, Fortinet FortiGate Firewall Successful External Login"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
index b63725b139..80186b4a90 100644
--- a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Material Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Material Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
index 54d87ae197..46dc38829f 100644
--- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security High Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Medium Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security High Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index 7eaa985372..652145da69 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 54b4f68b15..5052b51df3 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Suspicious desktop.ini Action, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index 1307530a48..88914e367f 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Cron Files Alteration, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, Aspnet Compiler, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Svchost Modification, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Windows Update LolBins, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Suspicious desktop.ini Action, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Aspnet Compiler, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Spawning Script, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, SolarWinds Suspicious File Creation, Suspicious Commands From MS SQL Server Shell, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SSH Authorized Key Alteration, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index 102055a734..592a004574 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
index 6ed8973361..5c0c2d3a93 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
index 7e3d8b99e9..c32021722d 100644
--- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
index 4ce7c7ce2e..177a2cc68b 100644
--- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index a39ad663bf..7acb7b2cb5 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
index d10ebdba49..75a2de9988 100644
--- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
index b34974d945..ba6ebe71f8 100644
--- a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index c77bbbc08f..2dbe746105 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 7d609d31c5..123a5a3881 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Malware Persistence Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, WMImplant Hack Tool, Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell EncodedCommand, FromBase64String Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, Invoke-TheHash Commandlets"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Disable Task Manager Through Registry Key, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Powershell AMSI Bypass, Netsh Allowed Python Program, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, CertOC Loading Dll"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Pandemic Windows Implant"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Powershell Web Request, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
index f087096932..e344c7e46a 100644
--- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index ceae9992c7..2c0f86c6ae 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index a8ac42abe6..5089a2bf0e 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index 2cfd42a106..59a6d8978c 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
index 9c01deb43c..2a00862966 100644
--- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index 366465fef6..deeca6a2bc 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, PowerShell Download From URL, Phorpiex DriveMgr Command, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
index ab61dc73a3..c99362b572 100644
--- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index f2bb416793..3637df34be 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index dfd8574a90..9bec55f701 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index 96ca1171c8..720808368f 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Varonis Massive Dowloads By A Single User, Varonis Many File Created and Deleted"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Varonis Many Accounts Disabled"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Varonis Many File Created and Deleted, Varonis Massive Dowloads By A Single User"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Varonis Many Accounts Disabled"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index a298418b75..23bfb00a3c 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 343dee126b..1a10f64bdf 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index dd1b2695ee..1f98b8a8e4 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
index 890bb2f3bd..8965443408 100644
--- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
index d19eb0b6fe..7932f2015f 100644
--- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 91b561b973..020e28c20b 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index bcd0d32b4b..8dd7047ac6 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
index dfc8551372..d060c671f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Cryptomining, LokiBot Default C2 URL, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Suspicious File Name, Socat Reverse Shell Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index b002af52c6..5d0aa412c7 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
index 9e5f6e5511..13dee5c42c 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index 356b4b544f..06ca75f259 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, TEHTRIS EDR Alert, PowerShell Download From URL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, TEHTRIS EDR Alert, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, TEHTRIS EDR Alert"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Suspicious desktop.ini Action, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, TEHTRIS EDR Alert, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, TEHTRIS EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, TEHTRIS EDR Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
index b500035cfd..ed558a74f1 100644
--- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index d941605a65..75ce365308 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Login Brute-Force Successful On SentinelOne EDR Management Console, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Authentication Impossible Travel"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Adidnsdump Enumeration, Internet Scanner Target"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel, Login Brute-Force On Firewall, RSA SecurID Failed Authentification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, WAF Correlation Block actions, Burp Suite Tool Detected, WAF Correlation Block Multiple Destinations, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Added To A Security Enabled Group, Authentication Impossible Travel, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, RSA SecurID Failed Authentification, Authentication Impossible Travel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Correlation Block Multiple Destinations"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Correlation Block Multiple Destinations, Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
index a3c03dd7c8..a397098533 100644
--- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
index 4113cbad71..7b99fc3f89 100644
--- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 5f3112165e..d07f05ddd6 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, WMI Event Subscription, COM Hijack Via Sdclt"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Powershell Winlogon Helper DLL, Kernel Module Alteration, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR High Threat, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, Sysmon Windows File Block Executable, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Hlai Engine Detection, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HTA Infection Chains, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, HarfangLab EDR Low Threat, HarfangLab EDR Critical Level Rule Detection, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Login Brute-Force Successful On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, ISO LNK Infection Chain, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, SAM Registry Hive Handle Request, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Process Trace Alteration, DPAPI Domain Backup Key Extraction, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, HackTools Suspicious Names, Malicious Service Installations, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, LSASS Access From Non System Account, Rubeus Tool Command-line, Credential Dumping By LaZagne, Process Memory Dump Using Comsvcs, DCSync Attack, LSASS Memory Dump File Creation, Transfering Files With Credential Data Via Network Shares, Mimikatz LSASS Memory Access, Active Directory Database Dump Via Ntdsutil, HackTools Suspicious Process Names In Command Line, SAM Registry Hive Handle Request, Suspicious CommandLine Lsassy Pattern, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, WCE wceaux.dll Creation, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, Ursnif Registry Key, RDP Port Change Using Powershell, Blue Mockingbird Malware, FlowCloud Malware, Chafer (APT 39) Activity, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Disabling SmartScreen Via Registry, OceanLotus Registry Activity, Disable Security Events Logging Adding Reg Key MiniNt, Disable Workstation Lock, DHCP Callout DLL Installation, Remote Registry Management Using Reg Utility, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, Fail2ban Unban IP, TrustedInstaller Impersonation, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Python Opening Ports, Microsoft Malware Protection Engine Crash, Suspect Svchost Memory Access, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, Fail2ban Unban IP, TrustedInstaller Impersonation, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Execution From Suspicious Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, In-memory PowerShell, XSL Script Processing And SquiblyTwo Attack, Malicious PowerShell Keywords, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Detection of default Mimikatz banner, MalwareBytes Uninstallation, FromBase64String Command Line, Invoke-TheHash Commandlets, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected, Turla Named Pipes, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Suspicious DLL Loaded Via Office Applications, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Scripting In A WMI Consumer, Microsoft Defender Antivirus Disabled Base64 Encoded, Sekoia.io EICAR Detection, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, Aspnet Compiler, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, WMI DLL Loaded Via Office, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, PowerShell NTFS Alternate Data Stream, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Alternate PowerShell Hosts Pipe"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, User Added to Local Administrators, Mimikatz Basic Commands, Active Directory Replication User Backdoor, Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Antivirus Password Dumper Detection, Audit CVE Event, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Remote Access Tool Domain"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, In-memory PowerShell, Detection of default Mimikatz banner, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Turla Named Pipes, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Alternate PowerShell Hosts Pipe"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Malicious Named Pipe, Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Process Hollowing Detection, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Process Herpaderping, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, APT29 Fake Google Update Service Install, Taskhost Wrong Parent, Chafer (APT 39) Activity, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, StoneDrill Service Install, Explorer Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Cobalt Strike Default Service Creation Usage, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, APT29 Fake Google Update Service Install, Taskhost Wrong Parent, Chafer (APT 39) Activity, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, StoneDrill Service Install, Explorer Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Cobalt Strike Default Service Creation Usage, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Eventlog Cleared, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Cookies Deletion, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR High Threat, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, Sysmon Windows File Block Executable, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Python Opening Ports, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Usage Of Sysinternals Tools, Metasploit PSExec Service Creation, Suspicious PsExec Execution, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Smbexec.py Service Installation, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Windows Suspicious Service Creation, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Usage Of Sysinternals Tools, Windows Update LolBins, Metasploit PSExec Service Creation, Suspicious PsExec Execution, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Check Point Harmony Mobile Application Forbidden, Smbexec.py Service Installation, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Windows Suspicious Service Creation, Login Brute-Force Successful On SentinelOne EDR Management Console, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Unsigned Image Loaded Into LSASS Process, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, Process Memory Dump Using Createdump, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Credential Dumping-Tools Common Named Pipes, LSASS Access From Non System Account, Credential Dumping By LaZagne, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, LSASS Memory Dump File Creation, Dumpert LSASS Process Dumper, Credential Dump Tools Related Files, Lsass Access Through WinRM, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Possible Replay Attack, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, Rubeus Tool Command-line, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, Suspicious TGS requests (Kerberoasting)"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Narrator Feedback-Hub Persistence, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, Netscan Share Access Artefact, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration, Reconnaissance Commands Activities, Remote Enumeration Of Lateral Movement Groups, Remote Privileged Group Enumeration, Discovery Commands Correlation"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, MMC20 Lateral Movement, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Denied Access To Remote Desktop, Admin Share Access, Lateral Movement Remote Named Pipe, MMC Spawning Windows Shell, RDP Port Change Using Powershell, Cobalt Strike Default Service Creation Usage, Lsass Access Through WinRM"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Account Added To A Security Enabled Group"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, Suspicious URL Requested By Curl Or Wget Commands, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Chafer (APT 39) Activity, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Potential Bazar Loader User-Agents, Correlation Potential DNS Tunnel, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, Credentials Extraction, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Werfault DLL Injection"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Secure Deletion With SDelete"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Audit CVE Event, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage, Suspicious Hostname"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Kerberos Password Spraying, RSA SecurID Failed Authentification"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, HTML Smuggling Suspicious Usage, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Njrat Registry Values, Narrator Feedback-Hub Persistence, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool, Credentials Extraction"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, Suspicious Outlook Child Process, HarfangLab EDR High Threat, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, HarfangLab EDR Low Threat, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HTA Infection Chains, Download Files From Non-Legitimate TLDs, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, ISO LNK Infection Chain, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Hlai Engine Detection, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, HarfangLab EDR Medium Threat, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Malicious Service Installations, Copying Sensitive Files With Credential Data, Dumpert LSASS Process Dumper, LSASS Access From Non System Account, Transfering Files With Credential Data Via Network Shares, LSASS Memory Dump, Wdigest Enable UseLogonCredential, Password Dumper Activity On LSASS, Active Directory Replication from Non Machine Account, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, LSASS Memory Dump File Creation, Active Directory Database Dump Via Ntdsutil, Grabbing Sensitive Hives Via Reg Utility, Mimikatz LSASS Memory Access, HackTools Suspicious Names, Lsass Access Through WinRM, NTDS.dit File Interaction Through Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Rdrleakdiag, DPAPI Domain Backup Key Extraction, Credential Dumping By LaZagne, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Suspicious SAM Dump, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, DCSync Attack, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, RedMimicry Winnti Playbook Dropped File, Process Trace Alteration, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool, HackTools Suspicious Process Names In Command Line, Unsigned Image Loaded Into LSASS Process, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, OceanLotus Registry Activity, Remote Registry Management Using Reg Utility, Blue Mockingbird Malware, Chafer (APT 39) Activity, Suspicious New Printer Ports In Registry, Disable Security Events Logging Adding Reg Key MiniNt, Disable Workstation Lock, FlowCloud Malware, NetNTLM Downgrade Attack, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, RDP Port Change Using Powershell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI DLL Loaded Via Office, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Python Opening Ports, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspect Svchost Memory Access, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Microsoft Defender Antivirus Tampering Detected, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Specific, In-memory PowerShell, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, PowerShell Malicious PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Turla Named Pipes, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious Scripting In A WMI Consumer, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Aspnet Compiler, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Threat Detected, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Mustang Panda Dropper"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Active Directory User Backdoors, Active Directory Replication User Backdoor, Active Directory Delegate To KRBTGT Service, Add User to Privileged Group, Privileged AD Builtin Group Modified, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, User Added to Local Administrators"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Antivirus Relevant File Paths Alerts, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Suspicious New Printer Ports In Registry, Antivirus Password Dumper Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Remote Access Tool Domain, Antivirus Password Dumper Detection"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Bloodhound and Sharphound Tools Usage, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Specific, In-memory PowerShell, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Turla Named Pipes, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dynwrapx Module Loading, Cobalt Strike Named Pipes, Spoolsv Wrong Parent, Process Hollowing Detection, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Process Herpaderping, Malicious Named Pipe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Cobalt Strike Default Service Creation Usage, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, StoneDrill Service Install, APT29 Fake Google Update Service Install, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Cobalt Strike Default Service Creation Usage, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, StoneDrill Service Install, APT29 Fake Google Update Service Install, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, Eventlog Cleared, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Dynwrapx Module Loading, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, HarfangLab EDR High Threat, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, HarfangLab EDR Low Threat, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Non-Legitimate TLDs, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Critical Threat, HarfangLab EDR Hlai Engine Detection, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, HarfangLab EDR Medium Threat, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Python Opening Ports"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, PsExec Process, Lsass Wrong Parent, Smbexec.py Service Installation, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Metasploit PSExec Service Creation, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Credential Dumping Tools Service Execution, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer, Windows Suspicious Service Creation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, PsExec Process, Lsass Wrong Parent, Smbexec.py Service Installation, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Metasploit PSExec Service Creation, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Credential Dumping Tools Service Execution, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, Check Point Harmony Mobile Application Forbidden, Microsoft Defender Antivirus Threat Detected, Suspicious Commands From MS SQL Server Shell, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, WMI Persistence Command Line Event Consumer, Windows Suspicious Service Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, LSASS Access From Non System Account, Credential Dumping By LaZagne, Windows Credential Editor Registry Key, LSASS Memory Dump, LSASS Memory Dump File Creation, Mimikatz LSASS Memory Access, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Kerberos Ticket, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, Suspicious TGS requests (Kerberoasting), Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, TUN/TAP Driver Installation, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Netscan Share Access Artefact, PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, Reconnaissance Commands Activities, AD User Enumeration, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, Discovery Commands Correlation, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, MMC20 Lateral Movement, Smbexec.py Service Installation, Lsass Access Through WinRM, MMC Spawning Windows Shell, Protected Storage Service Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Denied Access To Remote Desktop, RDP Login From Localhost, Admin Share Access, RDP Port Change Using Powershell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Account Added To A Security Enabled Group, User Added to Local Administrators"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Python HTTP Server, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Remote Registry Management Using Reg Utility, Credentials Extraction, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Putty Sessions Listing"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Audit CVE Event, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, Netsh Port Forwarding, Suspicious Hostname, TOR Usage Generic Rule"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292, Successful Brute Force Login From Internet"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index 4960f76fc5..65d7a7aa53 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, PowerShell Download From URL, Phorpiex DriveMgr Command, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
index 0df91dca19..b9f145d1c1 100644
--- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index 03fab7677b..8e2cf704f6 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index e609cacd06..fa2c95c52d 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, DLL Load via LSASS Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, ISO LNK Infection Chain, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, FlowCloud Malware, NetNTLM Downgrade Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, NetNTLM Downgrade Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Explorer Wrong Parent, Winword wrong parent, SolarWinds Wrong Child Process, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Rare Logonui Child Found, Csrss Child Found, Rare Lsass Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Explorer Wrong Parent, Winword wrong parent, SolarWinds Wrong Child Process, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Rare Logonui Child Found, Csrss Child Found, Rare Lsass Child Found"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Svchost Modification, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Winword wrong parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Rare Logonui Child Found, Usage Of Sysinternals Tools, Csrss Child Found, PsExec Process, Rare Lsass Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Winword wrong parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Rare Logonui Child Found, Usage Of Sysinternals Tools, Csrss Child Found, PsExec Process, Windows Update LolBins, Rare Lsass Child Found"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, HTA Infection Chains, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, DHCP Callout DLL Installation, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, PowerShell Download From URL, Phorpiex DriveMgr Command, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Spawning Script, Mustang Panda Dropper"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, New Service Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, CMSTP UAC Bypass via COM Object Access, Shell PID Injection"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Wrong Child Process, Csrss Child Found, Winword wrong parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Wrong Child Process, Windows Update LolBins, Winword wrong parent, Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, SolarWinds Suspicious File Creation, Suspicious DNS Child Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index e5fb9fb910..0459c995b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Cobalt Strike Default Beacons Names, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), ISO LNK Infection Chain, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Process Trace Alteration, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Information Stealer Downloading Legitimate Third-Party DLLs, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Suspicious Driver Loaded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Suspicious Driver Loaded, Package Manager Alteration, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Cookies Deletion, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Microsoft Office Creating Suspicious File, HTA Infection Chains, Explorer Process Executing HTA File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Cobalt Strike Default Beacons Names, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, DHCP Callout DLL Installation, Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Shell PID Injection, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SSH Authorized Key Alteration, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index d9f47716fb..6f3dbbdbcc 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Claroty xDome Network Threat Detection Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Claroty xDome Network Threat Detection Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index 46710e9ba8..4ac3bedff1 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, Cybereason EDR Alert, Cybereason EDR Malware Detection, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Cybereason EDR Alert, PsExec Process, Cybereason EDR Malware Detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection, Cybereason EDR Alert, Cybereason EDR Malware Detection"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cybereason EDR Alert, Microsoft Office Creating Suspicious File, HTA Infection Chains, Cybereason EDR Malware Detection, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Alert, PsExec Process, OneNote Suspicious Children Process, Cybereason EDR Malware Detection, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Cybereason EDR Alert, Microsoft Office Creating Suspicious File, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Cybereason EDR Malware Detection"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index 295e7725e3..239332e1d8 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 5d45a5f999..69eb514816 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index 090cf03b6b..0f79118887 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Malware Persistence Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Login Brute-Force Successful On SentinelOne EDR Management Console, PowerShell Invoke Expression With Registry, WMIC Uninstall Product, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, WMImplant Hack Tool, Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Invoke-TheHash Commandlets, PowerShell EncodedCommand, FromBase64String Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, RSA SecurID Failed Authentification"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMI Fingerprint Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Disable Task Manager Through Registry Key, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Powershell AMSI Bypass, Netsh Allowed Python Program, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, Phorpiex DriveMgr Command, QakBot Process Creation, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Mustang Panda Dropper"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious Desktopimgdownldr Execution, CertOC Loading Dll"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Powershell Web Request, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage, Container Credential Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Python HTTP Server, Sliver DNS Beaconing, Potential LokiBot User-Agent"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, RSA SecurID Failed Authentification"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index 3d191e9c0e..4ed0150c87 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index c0d4363b53..e605139101 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Workstation, Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Workstation, Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal, Login Brute-Force Successful On Jumpcloud Workstation"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal, Login Brute-Force Successful On Jumpcloud Workstation"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
index e997785b53..1693a67db6 100644
--- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index 20dfc9ee70..2c0f858eb6 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
index 0ecf22656b..95aa42f513 100644
--- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index 6a02186f31..c90e6523f8 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication, Login Brute-Force On FreeRadius, RSA SecurID Failed Authentification"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius, RSA SecurID Failed Authentification, FreeRADIUS Failed Authentication"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
index 11504481eb..64146a4506 100644
--- a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
index 37b00495dd..ddde2556b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index 7077e19e5a..00d2a757dd 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, Aspnet Compiler, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Low Intrusion, SecurityScorecard Vulnerability Assessment Scanner New Issues"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, HTA Infection Chains, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, PowerShell Download From URL, Phorpiex DriveMgr Command, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Aspnet Compiler, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Mustang Panda Dropper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Possible Malicious File Double Extension, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Low Intrusion"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index 84f0796df6..7a32fe76d9 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index bda9938b3d..2515ea8d20 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Adidnsdump Enumeration, Internet Scanner Target"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Trellix Network Security Threat Notified, Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Trellix Network Security Threat Blocked, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Trellix Network Security Threat Blocked, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Trellix Network Security Threat Notified"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 7a29536318..03ac844bfb 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ Malware Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, Potential LokiBot User-Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ v102", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ Malware Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index 273862222c..0f12903774 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index 2e7efc6382..89ba7572e4 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 866086ba98..ae1dc07620 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Cron Files Alteration, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Process Trace Alteration, HackTools Suspicious Names, Malicious Service Installations, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Chafer (APT 39) Activity, OceanLotus Registry Activity, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack, Blue Mockingbird Malware, FlowCloud Malware, Disabling SmartScreen Via Registry"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, TrustedInstaller Impersonation, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Package Manager Alteration, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, TrustedInstaller Impersonation, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Windows Defender Deactivation Using PowerShell Script, NetNTLM Downgrade Attack"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Malicious PowerShell Keywords, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, Aspnet Compiler, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, PowerShell Credential Prompt, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, PowerShell NTFS Alternate Data Stream, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Chafer (APT 39) Activity, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Chafer (APT 39) Activity, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Cookies Deletion, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Rubeus Register New Logon Process, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Smbexec.py Service Installation, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Windows Update LolBins, Malicious Service Installations, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, Smbexec.py Service Installation, Suspicious Commands From MS SQL Server Shell, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wininit Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Winrshost Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, Chafer (APT 39) Activity, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Cryptomining, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, MMC20 Lateral Movement, RDP Login From Localhost, MMC Spawning Windows Shell, RDP Port Change Using Powershell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, RSA SecurID Failed Authentification"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Adidnsdump Enumeration, Internet Scanner Target"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Chafer (APT 39) Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Malicious Service Installations, Copying Sensitive Files With Credential Data, Wdigest Enable UseLogonCredential, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Chafer (APT 39) Activity, Disabling SmartScreen Via Registry, RDP Port Change Using Powershell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Microsoft Defender Antivirus Tampering Detected, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Interactive Terminal Spawned via Python, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, PowerShell Malicious PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Aspnet Compiler, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Threat Detected, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus Tampering Detected, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Rubeus Register New Logon Process, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Smbexec.py Service Installation, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Malicious Service Installations, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Smbexec.py Service Installation, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Wininit Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, Suspicious Commands From MS SQL Server Shell, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Malspam Execution Registering Malicious DLL, Microsoft Defender Antivirus Threat Detected, Sysmon Windows File Block Executable, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, Smbexec.py Service Installation, MMC Spawning Windows Shell, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, User Added to Local Administrators"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Adidnsdump Enumeration"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index 5f0dc90fcf..2b50e0c91e 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
index ae21941788..2982db453c 100644
--- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
index cf38cb55ba..927443966c 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
index 6f388afb62..8c0d5b389e 100644
--- a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index 3557fd067e..ed11285dbd 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Rule Deletion, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, ZIP LNK Infection Chain, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Mass Download By A Single User, HTA Infection Chains, Microsoft 365 (Office 365) MCAS Risky IP, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) DLP Policy Removed, ISO LNK Infection Chain, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Suspicious File Name, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Rule Deletion, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Double Extension, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Possible Malicious File Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Suspicious Email Attachment Received, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Risky IP, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Microsoft 365 Authenticated Activity From Tor IP Address, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Microsoft 365 Authenticated Activity From Tor IP Address, Suspicious TOR Gateway"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Download Files From Suspicious TLDs, HTA Infection Chains, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Malware Filter Rule Deletion, ZIP LNK Infection Chain, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, ISO LNK Infection Chain, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Mass Download By A Single User"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Filter Policy Removed, SEKOIA.IO Intelligence Feed, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Email Attachment Received, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS New Country, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft 365 (Office 365) MCAS Repeated Delete, Suspicious Double Extension, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Mass Download By A Single User"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Entra ID Consent Attempt to Suspicious OAuth Application, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index bea4cb0b48..34268b6505 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
index 4a7c9eb549..257c825c00 100644
--- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 88cbdb866c..6a44cff148 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 6ba1ce4b71..8602004b8b 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 7ccec72209..ce4625c909 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, Backup Catalog Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup, User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Disable MFA, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Important Change, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EC2 Security Group Modified, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Disable MFA, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Important Change, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM CreateSAMLProvider"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail IAM Policy Changed, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted, Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Disable MFA, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Important Change, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Disable MFA, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Important Change, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail S3 Bucket Replication, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Root ConsoleLogin, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index e8eaf7184c..9ac965f100 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index b16c862097..7bb432449b 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index a508978666..22abe71c33 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index 7cb3803aa7..686bcc28be 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index 3ab512aaea..3e4003fe00 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Block Rule, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
index e51ca54fc4..6cfdff5b35 100644
--- a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index cd84fd2f36..156005d93b 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, ISO LNK Infection Chain, Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Cryptomining, Cobalt Strike HTTP Default POST Beaconing, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Cobalt Strike DNS Beaconing, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Sliver DNS Beaconing, Potential LokiBot User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
index a0291842b2..f1601fe869 100644
--- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index f6d304c5ef..8e7c4ef06a 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index 374611194d..da3ce58f54 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index a597a467a7..096a555115 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Spam Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (CEO Fraud) Detected By Vade For M365, Malware Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (CEO Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365, Malware Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spam Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 50e4128302..881977ce7e 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Modified, Okta Network Zone Deactivated"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta MFA Disabled, Okta Security Threat Configuration Updated, Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Blacklist Manipulations"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Many Passwords Reset Attempt, Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In Multiple Applications, Okta User Logged In From Multiple Countries"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta User Impersonation Access, Okta User Account Deactivated, Okta Application deleted, Okta Application modified"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta MFA Disabled, Okta Blacklist Manipulations, Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Security Threat Configuration Updated"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Many Passwords Reset Attempt, Okta Unauthorized Access to App"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Okta MFA Bypass Attempt"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In From Multiple Countries, Okta User Logged In Multiple Applications"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Application deleted, Okta Admin Privilege Granted, Okta Application modified, Okta User Impersonation Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
index 4b646c16de..174330e49d 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index 437a091923..02f1c24d4b 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, Process Trace Alteration, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, WMImplant Hack Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Debugging Software Deactivation, ETW Tampering, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Disabled Service, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious File Name, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Download From URL"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMImplant Hack Tool, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, SELinux Disabling, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Disabled Service, ETW Tampering, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Commands Invocation, PowerShell Download From URL, Phorpiex DriveMgr Command, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Suspicious File Name, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Microsoft Office Creating Suspicious File, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Python Offensive Tools and Packages, Mustang Panda Dropper"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, Shadow Copies"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
index 7e33912718..9f958d5815 100644
--- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index 26ff7c5c61..8389144dfc 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Cryptomining, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Suspicious File Name, Socat Reverse Shell Detection, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
index 4934419faa..eeff2798fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index 5414d62bef..20a2a0fdee 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
index 24344959b6..b08de5d3ec 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index c0ee856eec..a8f68aec2a 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index c0baf03ea2..1971d4a91c 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Bazar Loader User-Agents, Cryptomining, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Credential Dump Tools Related Files, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index 888b8bf3da..db0a975543 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Change Default File Association, Reconnaissance Commands Activities, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, WMI Event Subscription, COM Hijack Via Sdclt"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Credential Harvesting Via Vaultcmd.exe"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration, Internet Scanner, System Network Connections Discovery, Remote System Discovery Via Telnet, Internet Scanner Target"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Sysmon Windows File Block Executable, ZIP LNK Infection Chain, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Stormshield Ses Critical Not Block, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, HTA Infection Chains, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL, Stormshield Ses Emergency Block, Stormshield Ses Critical Block, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, ISO LNK Infection Chain"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Wdigest Enable UseLogonCredential, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, NetNTLM Downgrade Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, Disabling SmartScreen Via Registry, Blue Mockingbird Malware, FlowCloud Malware, NetNTLM Downgrade Attack"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trickbot Malware Activity, Mshta Suspicious Child Process, Microsoft Office Spawning Script, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Exploited CVE-2020-10189 Zoho ManageEngine, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, FromBase64String Command Line, Linux Bash Reverse Shell, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Suspicious Outlook Child Process, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Mustang Panda Dropper, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Commands Invocation, Lazarus Loaders, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Suspicious Windows Script Execution, WMIC Uninstall Product, Generic-reverse-shell-oneliner, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Venom Multi-hop Proxy agent detection, PowerShell Download From URL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, MalwareBytes Uninstallation, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, NetSh Used To Disable Windows Firewall, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, ETW Tampering, FLTMC command usage, MalwareBytes Uninstallation, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allow Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Dism Disabling Windows Defender, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Fail2ban Unban IP, Windows Firewall Changes, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Disabled IE Security Features, Disable Windows Defender Credential Guard, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Netsh Allowed Python Program, NetNTLM Downgrade Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Antivirus Password Dumper Detection, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Remote Access Tool Domain"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, New Service Creation, Svchost Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Eventlog Cleared, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, xWizard Execution, Suspicious Control Process, Explorer Process Executing HTA File, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, MavInject Process Injection, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, CMSTP Execution, Control Panel Items, MOFComp Execution, Empire Monkey Activity, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, Shell PID Injection, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Smss Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, PsExec Process, Taskhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Usage Of Sysinternals Tools, Windows Update LolBins, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Winword wrong parent, Suspicious DNS Child Process, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, IcedID Execution Using Excel"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage, Outlook Registry Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Shell PID Injection, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, PowerView commandlets 2, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process, Suspicious Double Extension, Possible Malicious File Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, COM Hijack Via Sdclt, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, PowerView commandlets 2, Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Remote System Discovery Via Telnet, Internet Scanner, ACLight Discovering Privileged Accounts, Internet Scanner Target, System Network Connections Discovery"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Stormshield Ses Emergency Block, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, HTA Infection Chains, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Microsoft Office Product Spawning Windows Shell, Stormshield Ses Critical Not Block, Explorer Process Executing HTA File, ISO LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, IcedID Execution Using Excel, Winword Document Droppers, Stormshield Ses Critical Block, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Names, Wdigest Enable UseLogonCredential, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, WMImplant Hack Tool, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMI Fingerprint Commands"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, PowerShell Commands Invocation, Phorpiex DriveMgr Command, PowerShell Download From URL, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, MalwareBytes Uninstallation, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Socat Relaying Socket, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, PowerShell EncodedCommand, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Windows Script Execution, FromBase64String Command Line, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Socat Reverse Shell Detection, Exploited CVE-2020-10189 Zoho ManageEngine, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Threat Detected, Mshta Suspicious Child Process, Sekoia.io EICAR Detection, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Office Spawning Script, Mustang Panda Dropper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, WMIC Uninstall Product, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, FLTMC command usage, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Program Allowed With Suspicious Location, NetNTLM Downgrade Attack, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Microsoft Defender Antivirus Tampering Detected, Powershell AMSI Bypass, Netsh Allowed Python Program, Dism Disabling Windows Defender, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Elise Backdoor, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Suspicious New Printer Ports In Registry, Antivirus Password Dumper Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Remote Access Tool Domain, Antivirus Password Dumper Detection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Userinit Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, Eventlog Cleared, ETW Tampering"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Gpresult Usage, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, Control Panel Items, MavInject Process Injection, xWizard Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CMSTP Execution, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, CMSTP UAC Bypass via COM Object Access, Shell PID Injection, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Lsass Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Usage Of Procdump With Common Arguments, Taskhostw Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Winlogon wrong parent, Winword wrong parent, Smss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Exfiltration Via Pscp, Csrss Child Found, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Linux Suspicious Search, Container Credential Access, Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Shell PID Injection, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Discovery Commands Correlation, WMI Fingerprint Commands"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
index 301dbe4491..270bf383c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
index 45beb3d48b..c331f24900 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Suspicious File Name, Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Credential Dump Tools Related Files, WCE wceaux.dll Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, ZIP LNK Infection Chain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Names, Process Trace Alteration, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index 1ae6c4bcb7..4e22f845ea 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
index 76ffe8e0ac..0cfe015d1e 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cryptomining, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index b61155767a..11ceba76cf 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Changelog _last update on 2024-09-20_
+Changelog _last update on 2024-09-23_
 
 ## Changelog
 
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 6560e8974f..64fb02e17f 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **947 built-in detection rules** ([_last update on 2024-09-20_](rules_changelog.md)).
+Rules catalog includes **947 built-in detection rules** ([_last update on 2024-09-23_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Identity Information**
 
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.md
index f2877dea0d..99ce996588 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ### Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Gatewatcher AionIQ**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Gatewatcher AionIQ v102**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Gatewatcher AionIQ on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Gatewatcher AionIQ v102 on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json){ .md-button }
 ??? abstract "Advanced IP Scanner"
     
     Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index f83b50f589..c41ef41206 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
 # Built-in detection rules, EventIDs and EventProviders relations
 SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-09-20_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-09-23_
 
 The colors of the EventIDs in this page should be interpreted as follow: