diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index 0962de607a..86d1378522 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Netsh Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious PrinterPorts Creation (CVE-2020-1048), WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 57fbc40ffe..a196d0306d 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, xWizard Execution, Control Panel Items, Suspicious Regasm Regsvcs Usage, CMSTP Execution, MavInject Process Injection, CertOC Loading Dll, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, SSH X11 Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Aspnet Compiler, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Explorer Process Executing HTA File, Empire Monkey Activity, Control Panel Items, CMSTP Execution, MavInject Process Injection, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Mshta JavaScript Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SSH Tunnel Traffic, SOCKS Tunneling Tool, Ngrok Process Execution, SSH X11 Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index 253ac7ee5a..087fdf52be 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index ff133263a4..cc40c8e977 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, WithSecure Elements Critical Severity, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Netsh Program Allowed With Suspicious Location, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Microsoft Defender Antivirus Threat Detected, WithSecure Elements Critical Severity, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, WithSecure Elements Critical Severity, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Microsoft Defender Antivirus Threat Detected, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, Equation Group DLL_U Load, Explorer Process Executing HTA File, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, WithSecure Elements Critical Severity, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, WithSecure Elements Critical Severity, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
index 1f7d93aae8..b243c957f8 100644
--- a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index 02eace52d2..a4666bfabd 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace Admin Deletion, Google Workspace User Suspended"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Admin Modification, Google Workspace Domain Delegation"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace Password Change, Google Workspace MFA changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace Admin Deletion, Google Workspace User Suspended"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Admin Modification, Google Workspace Domain Delegation"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index a6b059b43a..3994cf485b 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, PsExec Process, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, Taskhost Wrong Parent, Microsoft Defender XDR Endpoint Alert, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, PsExec Process, Winrshost Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender XDR Office 365 Alert, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender XDR Alert, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Defender XDR Cloud App Security Alert, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Socat Relaying Socket, Microsoft Defender XDR Endpoint Alert, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Interactive Terminal Spawned via Python, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Microsoft Defender XDR Office 365 Alert, QakBot Process Creation, Microsoft Defender XDR Alert, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Relaying Socket, Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender XDR Cloud App Security Alert, Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Endpoint Alert, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Microsoft Defender XDR Alert"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, PsExec Process, Microsoft Defender XDR Office 365 Alert, Smss Wrong Parent, Searchindexer Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, Wmiprvse Wrong Parent, Winlogon wrong parent, Microsoft Defender XDR Alert, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Microsoft Defender XDR Endpoint Alert, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Python Offensive Tools and Packages, Aspnet Compiler, Microsoft Defender XDR Office 365 Alert, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender XDR Cloud App Security Alert, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Microsoft Defender XDR Alert, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Microsoft Defender XDR Endpoint Alert, Mshta Suspicious Child Process, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, NetSh Used To Disable Windows Firewall, FLTMC command usage, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Defender XDR Alert, Microsoft Defender XDR Office 365 Alert, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Microsoft Defender XDR Cloud App Security Alert, Microsoft Defender XDR Endpoint Alert, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Email Attachment Received, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 6032daf9a2..34609bcba9 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index c9c713335d..5a510952d4 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Trend Micro Apex One Malware Alert, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Trend Micro Apex One Data Loss Prevention Alert, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments, Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Trend Micro Apex One Data Loss Prevention Alert, Cobalt Strike Default Beacons Names, Trend Micro Apex One Malware Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Aspnet Compiler, PowerShell Download From URL, Trend Micro Apex One Malware Alert, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Trend Micro Apex One Data Loss Prevention Alert, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, Equation Group DLL_U Load, Explorer Process Executing HTA File, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Trend Micro Apex One Malware Alert, SolarWinds Suspicious File Creation, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Potential DNS Tunnel, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, RTLO Character, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Trend Micro Apex One Malware Alert, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Trend Micro Apex One Data Loss Prevention Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
index e80cae8ed0..9d654bf83a 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 393bbbc24d..9679aa67c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR User Failed To Log In To The Management Console, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR SSO User Added, Phorpiex DriveMgr Command, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), Linux Bash Reverse Shell, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Detected (Malicious), Suspicious Taskkill Command, SentinelOne EDR Custom Rule Alert, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Sekoia.io EICAR Detection, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Agent Disabled, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, PowerShell EncodedCommand, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), WMIC Uninstall Product, Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Mitigation Report Remediate Success, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR User Logged In To The Management Console, Usage Of Procdump With Common Arguments, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Agent Disabled, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Malicious), SolarWinds Wrong Child Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Package Manager Alteration, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Netsh Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, FLTMC command usage, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR User Failed To Log In To The Management Console, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Agent Disabled, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR SSO User Added, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Custom Rule Alert, Download Files From Suspicious TLDs, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Impacket Wmiexec Module"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, SentinelOne EDR Agent Disabled, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, Lazarus Loaders, SentinelOne EDR Threat Detected (Suspicious), Default Encoding To UTF-8 PowerShell, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Remediate Success, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Malicious Threat Not Mitigated, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Detected (Suspicious), Usage Of Procdump With Common Arguments, SentinelOne EDR Agent Disabled, SolarWinds Wrong Child Process, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Remediate Success"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetSh Used To Disable Windows Firewall, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Phorpiex Process Masquerading, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Detected (Suspicious), SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Agent Disabled, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Not Mitigated, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Remediate Success, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 711ad5547e..73a4554560 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index 8a8856303c..f7020012af 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, SolarWinds Wrong Child Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Winword wrong parent, Suspicious DNS Child Process, Windows Update LolBins, Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, Winword wrong parent, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, Winword wrong parent, SolarWinds Wrong Child Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Aspnet Compiler, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, FLTMC command usage, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Windows Update LolBins, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, Suspicious DNS Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Winword wrong parent, Explorer Wrong Parent, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Winword wrong parent, Explorer Wrong Parent, New Service Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index e5ad53bda7..3e46ecf109 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Logonui Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Logonui Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Windows Update LolBins, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Socat Relaying Socket, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Interactive Terminal Spawned via Python, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Relaying Socket, Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Suspicious DNS Child Process, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Suspicious DNS Child Process, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Python Offensive Tools and Packages, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Mshta Suspicious Child Process, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 50cc2a312b..6cf58098ab 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Potential LokiBot User-Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 35459f16c5..a45852b1cb 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious IP"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious IP"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Leaked Credentials"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Leaked Credentials"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index 0dcdb90484..a62aaecfd8 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
index 51316a2f4b..f2b87b295f 100644
--- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index 191dc01c4f..a315f9dfc6 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Netsh Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
index 32bfd34ee8..1b6154f043 100644
--- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Potential LokiBot User-Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index 132f75c5f8..ab5006d097 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Dllhost Wrong Parent, PsExec Process, Rare Lsass Child Found, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, CrowdStrike Falcon Identity Protection Detection Critical Severity, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Dllhost Wrong Parent, PsExec Process, CrowdStrike Falcon Identity Protection Detection High Severity, Rare Lsass Child Found, CrowdStrike Falcon Intrusion Detection Critical Severity, Winrshost Wrong Parent, Windows Update LolBins, CrowdStrike Falcon Identity Protection Detection Medium Severity, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, CrowdStrike Falcon Intrusion Detection Medium Severity, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Identity Protection Detection Informational Severity, Lsass Wrong Parent, CrowdStrike Falcon Intrusion Detection, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection High Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, CrowdStrike Falcon Identity Protection Detection Low Severity, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Identity Protection Detection Informational Severity, PowerShell Downgrade Attack, CrowdStrike Falcon Intrusion Detection, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Aspnet Compiler, CrowdStrike Falcon Intrusion Detection Medium Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, CrowdStrike Falcon Intrusion Detection Low Severity, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Netsh Program Allowed With Suspicious Location, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: CrowdStrike Falcon Mobile Detection High Severity, CrowdStrike Falcon Mobile Detection Critical Severity, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Medium Severity, Cryptomining, CrowdStrike Falcon Mobile Detection Informational Severity, CrowdStrike Falcon Mobile Detection Low Severity, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CrowdStrike Falcon Identity Protection Detection Critical Severity, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection High Severity, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Low Severity"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, CrowdStrike Falcon Intrusion Detection Low Severity, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, CrowdStrike Falcon Intrusion Detection High Severity, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, CrowdStrike Falcon Identity Protection Detection High Severity, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, CrowdStrike Falcon Identity Protection Detection Informational Severity, Dllhost Wrong Parent, Userinit Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Medium Severity"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Trickbot Malware Activity, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Python Offensive Tools and Packages, CrowdStrike Falcon Intrusion Detection Low Severity, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, CrowdStrike Falcon Intrusion Detection High Severity, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, CrowdStrike Falcon Identity Protection Detection High Severity, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Mshta Suspicious Child Process, CrowdStrike Falcon Intrusion Detection Medium Severity, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, CrowdStrike Falcon Identity Protection Detection Critical Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, FLTMC command usage, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Potential DNS Tunnel, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, CrowdStrike Falcon Mobile Detection Critical Severity, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Medium Severity, Dynamic DNS Contacted, Cryptomining, CrowdStrike Falcon Mobile Detection Informational Severity, CrowdStrike Falcon Mobile Detection Low Severity, CrowdStrike Falcon Mobile Detection High Severity, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, CrowdStrike Falcon Identity Protection Detection High Severity, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Winword Document Droppers, Exploit For CVE-2015-1641, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Medium Severity"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
index 9696cdc33a..d6652d4e05 100644
--- a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 06f3935b37..9ddb862656 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index 98e6f5b8cd..3ea7d3077e 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, StoneDrill Service Install, Winrshost Wrong Parent, Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Taskhost or Taskhostw Suspicious Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, StoneDrill Service Install, Winrshost Wrong Parent, Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Taskhost or Taskhostw Suspicious Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Smbexec.py Service Installation, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Windows Suspicious Service Creation, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Credential Dumping Tools Service Execution, Rare Lsass Child Found, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Metasploit PSExec Service Creation, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Suspicious PsExec Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Smbexec.py Service Installation, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Windows Suspicious Service Creation, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Credential Dumping Tools Service Execution, Rare Lsass Child Found, Winrshost Wrong Parent, Check Point Harmony Mobile Application Forbidden, Windows Update LolBins, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, Metasploit PSExec Service Creation, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Taskhost or Taskhostw Suspicious Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Suspicious PsExec Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Cobalt Strike Named Pipes, Malicious Named Pipe, Svchost Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Dynwrapx Module Loading, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Taskhostw Wrong Parent, CreateRemoteThread Common Process Injection, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Process Hollowing Detection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Process Herpaderping"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Event Subscription, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Python HTTP Server, Suspicious LDAP-Attributes Used, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Autorun Keys Modification, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Ryuk Ransomware Persistence Registry Key, NjRat Registry Changes, Kernel Module Alteration, Malware Persistence Registry Key, Powershell Winlogon Helper DLL, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, Werfault DLL Injection"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Enabling Restricted Admin Mode, Active Directory User Backdoors"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Kerberos Pre-Auth Disabled in UAC, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Kerberos Ticket, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, WMI DLL Loaded Via Office, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, WMI DLL Loaded Via Office, Suspicious DLL Loaded Via Office Applications, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, WMImplant Hack Tool, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Mustang Panda Dropper, WMI DLL Loaded Via Office, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Phorpiex DriveMgr Command, PowerShell Invoke Expression With Registry, Suspicious Scripting In A WMI Consumer, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious Taskkill Command, Turla Named Pipes, Sekoia.io EICAR Detection, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Detection of default Mimikatz banner, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, In-memory PowerShell, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Threat Detected, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Keywords, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Alternate PowerShell Hosts Pipe, Lazarus Loaders, Aspnet Compiler, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD User Enumeration, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, Phosphorus (APT35) Exchange Discovery, Remote Privileged Group Enumeration, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, NlTest Usage, PowerView commandlets 2, Trickbot Malware Activity, PowerView commandlets 1, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, DHCP Callout DLL Installation, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, RDP Sensitive Settings Changed, FlowCloud Malware, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, Remote Registry Management Using Reg Utility, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious New Printer Ports In Registry, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, OceanLotus Registry Activity"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Execution From Suspicious Folder, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Remote Registry Management Using Reg Utility, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Exclusion Configuration, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Disable Windows Defender Credential Guard, Suspicious PROCEXP152.sys File Created In Tmp, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Exclusion Configuration, ETW Tampering, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Python Opening Ports, Suspect Svchost Memory Access, Netsh Allow Command, Microsoft Defender Antivirus Disable SecurityHealth, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Tampering Detected, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Suspicious PROCEXP152.sys File Created In Tmp, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, NetNTLM Downgrade Attack, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Disable Scheduled Tasks, Powershell AMSI Bypass, Disabled IE Security Features, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CMSTP UAC Bypass via COM Object Access, Dynwrapx Module Loading, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Mustang Panda Dropper, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Credential Dumping By LaZagne, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Transfering Files With Credential Data Via Network Shares, Mimikatz LSASS Memory Access, LSASS Memory Dump, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Cred Dump Tools Dropped Files, LSASS Memory Dump File Creation, Lsass Access Through WinRM, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, SAM Registry Hive Handle Request, NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Active Directory Database Dump Via Ntdsutil, WCE wceaux.dll Creation, DCSync Attack, Unsigned Image Loaded Into LSASS Process, LSASS Access From Non System Account, Suspicious CommandLine Lsassy Pattern, Active Directory Replication from Non Machine Account, Cmdkey Cached Credentials Recon, Malicious Service Installations, Copying Browser Files With Credentials, NetNTLM Downgrade Attack, Password Dumper Activity On LSASS, NTDS.dit File Interaction Through Command Line, Mimikatz Basic Commands, Load Of dbghelp/dbgcore DLL From Suspicious Process, RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Eventlog Cleared, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Secure Deletion With SDelete, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious Taskkill Command, Turla Named Pipes, Detection of default Mimikatz banner, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, In-memory PowerShell, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Keywords, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Admin User RDP Remote Logon, Account Added To A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Python Opening Ports, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Cred Dump Tools Dropped Files, LSASS Access From Non System Account, Dumpert LSASS Process Dumper, Password Dumper Activity On LSASS, Credential Dumping By LaZagne, Unsigned Image Loaded Into LSASS Process, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Mimikatz LSASS Memory Access, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Lsass Access Through WinRM, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, LSASS Memory Dump"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, Smbexec.py Service Installation, RDP Port Change Using Powershell, Admin Share Access, RDP Login From Localhost, MMC Spawning Windows Shell, Denied Access To Remote Desktop, Lateral Movement Remote Named Pipe, Lsass Access Through WinRM, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Antivirus Exploitation Framework Detection, Exploit For CVE-2015-1641, Audit CVE Event, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Smbexec.py Service Installation, Lateral Movement Remote Named Pipe, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump, SAM Registry Hive Handle Request"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, SSH X11 Forwarding, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic, Netsh Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Suspicious DLL Loaded Via Office Applications"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Suspicious DLL Loaded Via Office Applications"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, SysKey Registry Keys Access, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell, Denied Access To Remote Desktop"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Chafer (APT 39) Activity, Taskhost Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Chafer (APT 39) Activity, Taskhost Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Suspicious PsExec Execution, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Metasploit PSExec Service Creation, Credential Dumping Tools Service Execution, Taskhost Wrong Parent, Malicious Service Installations, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Smbexec.py Service Installation, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Windows Suspicious Service Creation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Check Point Harmony Mobile Application Forbidden, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, Suspicious PsExec Execution, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Metasploit PSExec Service Creation, Credential Dumping Tools Service Execution, Taskhost Wrong Parent, Malicious Service Installations, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Smbexec.py Service Installation, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Windows Suspicious Service Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Herpaderping, Dynwrapx Module Loading, Malicious Named Pipe, Explorer Wrong Parent, Cobalt Strike Named Pipes, Process Hollowing Detection, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, CreateRemoteThread Common Process Injection, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Cryptomining, Suspicious LDAP-Attributes Used, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Ryuk Ransomware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Ryuk Ransomware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Malware Persistence Registry Key, Powershell Winlogon Helper DLL, NjRat Registry Changes, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, Autorun Keys Modification, Suspicious desktop.ini Action, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, GPO Executable Delivery, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC, Suspicious Outbound Kerberos Connection, Suspicious Kerberos Ticket, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, PowerShell Invoke Expression With Registry, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, WMI DLL Loaded Via Office, In-memory PowerShell, Alternate PowerShell Hosts Pipe, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, Suspicious DLL Loaded Via Office Applications, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, FromBase64String Command Line, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Detection of default Mimikatz banner, Mustang Panda Dropper, Mshta Suspicious Child Process, Venom Multi-hop Proxy agent detection, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, Suspicious Scripting In A WMI Consumer, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, PowerShell Malicious PowerShell Commandlets"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 2, Remote Privileged Group Enumeration, AD User Enumeration, Active Directory Data Export Using Csvde, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Remote Registry Management Using Reg Utility, DHCP Callout DLL Installation, FlowCloud Malware, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious Desktopimgdownldr Execution, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable Workstation Lock, Chafer (APT 39) Activity, RDP Port Change Using Powershell, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Remote Registry Management Using Reg Utility, XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Dism Disabling Windows Defender, Ryuk Ransomware Command Line, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Disable Windows Defender Credential Guard, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Malware Protection Engine Crash, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Opening Ports, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Dism Disabling Windows Defender, FLTMC command usage, Powershell AMSI Bypass, Ryuk Ransomware Command Line, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspect Svchost Memory Access, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Disable Windows Defender Credential Guard, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Transfering Files With Credential Data Via Network Shares, Credential Dumping-Tools Common Named Pipes, Mimikatz LSASS Memory Access, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, LSASS Memory Dump File Creation, HackTools Suspicious Process Names In Command Line, SAM Registry Hive Handle Request, DPAPI Domain Backup Key Extraction, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Cred Dump Tools Dropped Files, Unsigned Image Loaded Into LSASS Process, Grabbing Sensitive Hives Via Reg Utility, LSASS Access From Non System Account, LSASS Memory Dump, Process Memory Dump Using Comsvcs, Credential Dumping By LaZagne, Password Dumper Activity On LSASS, Lsass Access Through WinRM, Mimikatz Basic Commands, Rubeus Tool Command-line, RedMimicry Winnti Playbook Dropped File, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, HackTools Suspicious Names, Credential Dumping Tools Service Execution, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, Dumpert LSASS Process Dumper, Wdigest Enable UseLogonCredential, Malicious Service Installations, Load Of dbghelp/dbgcore DLL From Suspicious Process, Active Directory Replication from Non Machine Account, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, DCSync Attack, Suspicious SAM Dump"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Eventlog Cleared, Secure Deletion With SDelete, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Downgrade Attack, In-memory PowerShell, Alternate PowerShell Hosts Pipe, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, Suspicious PowerShell Keywords, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Mshta Suspicious Child Process, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Credential Prompt"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, User Added to Local Administrators"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Powershell AMSI Bypass, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Credential Dumping-Tools Common Named Pipes, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Cred Dump Tools Dropped Files, Mimikatz LSASS Memory Access, Unsigned Image Loaded Into LSASS Process, LSASS Access From Non System Account, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, LSASS Memory Dump, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Credential Dumping Tools Service Execution, Suspicious CommandLine Lsassy Pattern, Password Dumper Activity On LSASS, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Admin Share Access, Smbexec.py Service Installation, MMC Spawning Windows Shell, MMC20 Lateral Movement, RDP Login From Localhost, Protected Storage Service Access, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Audit CVE Event, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, RedMimicry Winnti Playbook Dropped File, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, SAM Registry Hive Handle Request, Copying Sensitive Files With Credential Data, Suspicious SAM Dump"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SSH Tunnel Traffic, SOCKS Tunneling Tool, Ngrok Process Execution, SSH X11 Forwarding, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, Suspicious DLL Loaded Via Office Applications, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Cisco Umbrella Threat Detected, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, SysKey Registry Keys Access, Putty Sessions Listing"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index 3bc36dcbf6..c88414c62e 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index c902821107..48bfcb8061 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index 5a1490cd6d..bf4696be4e 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Winrshost Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Threat Detected, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Potential DNS Tunnel, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index a2477e212d..d1f59c1f55 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Sliver DNS Beaconing, Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index fc5eab0e70..ed58d99789 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Netsh Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Python HTTP Server, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index dd994a521c..fa523d90b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
index 8fa8d0ff73..12cce33b85 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Dllhost Wrong Parent, PsExec Process, Rare Lsass Child Found, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Dllhost Wrong Parent, PsExec Process, Rare Lsass Child Found, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Sekoia.io EICAR Detection, Microsoft Office Spawning Script, Aspnet Compiler, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Suspicious Outlook Child Process, Aspnet Compiler, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index 30dd7d2767..0c4de51b96 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index ccd57580d2..17f152f4b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Sliver DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
index fd8db6c84b..8505592e74 100644
--- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index 65a2245179..2893965549 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index 3169c3986d..0391fb6d64 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Winrshost Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Threat Detected, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Netsh Program Allowed With Suspicious Location, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, DNS Tunnel Technique From MuddyWater, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Python Offensive Tools and Packages, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential LokiBot User-Agent, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, Suspicious Outlook Child Process, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index 9225660f03..f394aedb3a 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, Sekoia.io EICAR Detection, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert, Sekoia.io EICAR Detection, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index 65e9298b01..8763ed1453 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR Application Blocked, Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR CorePUA Clean"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Detection, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked, Sophos EDR Application Detected, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
index ba959201c0..aeabca26d4 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index c856054fd2..04f2288d90 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index 8862a714d3..baa4500601 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, Winrshost Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, Suspicious DNS Child Process, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Trickbot Malware Activity, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Python Offensive Tools and Packages, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Sliver DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index b0a297cec7..4e99ef8834 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 930e277185..b3875c5d03 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index 1ab5f4bef5..a96a911d7c 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
index 86a6578a07..60b41b0a29 100644
--- a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid Critical Severity Alert, Tenable Identity Exposure / Alsid High Severity Alert"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid High Severity Alert, Tenable Identity Exposure / Alsid Critical Severity Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 834b7189fb..401a47fbaf 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index 69da5ecddc..a6bc5449d9 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index 29109642ff..e0d8721ebd 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Spam But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Malware But Allowed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Spam But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index 5c64e04102..b773e5a8a4 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 1ea91254f3..05c00e3b0a 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
index 84c2f59259..a5cf44a129 100644
--- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
index 1910d81d1f..b21b17556e 100644
--- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 8b6c9e0f7d..9d3d1f868b 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 506beb8afa..5278fbf7cf 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Fortinet FortiGate Firewall Successful External Login, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
index 2f3b96a79d..d340931f80 100644
--- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index d472215b8c..0ef07feed2 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 30e384dd80..31f37c0954 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Socat Relaying Socket, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Interactive Terminal Spawned via Python, Socat Reverse Shell Detection, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Relaying Socket, Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Aspnet Compiler, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, Equation Group DLL_U Load, Explorer Process Executing HTA File, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Potential DNS Tunnel, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index d1739edf3e..815ef080c8 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Windows Update LolBins, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Netsh Program Allowed With Suspicious Location, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Trickbot Malware Activity, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Python Offensive Tools and Packages, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, FLTMC command usage, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index 9e3f665d40..8c3f819e90 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
index 5fb9a998e5..0721df4091 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
index 5ef9400702..79c29b7ee8 100644
--- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
index 8ab4c66854..26f75c7908 100644
--- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index 28c9e3c64a..ce6f345fa0 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
index 8f83a91fa3..d74b5abd9b 100644
--- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index 15ea3a1e1e..a32b2e16c0 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 20c0102be5..ba9cde54e6 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Netsh Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
index 78a5d5952b..f4d8dab3a5 100644
--- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index 83b4433a6f..a36420ebeb 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index 1dfbac4a33..e5d0a797bb 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index 1e7a7ae2e9..3562b9e987 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
index 5dd1740906..d8d4878dc8 100644
--- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index 92b9d8c634..62d33fc3cf 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, xWizard Execution, Control Panel Items, Suspicious Regasm Regsvcs Usage, CMSTP Execution, MavInject Process Injection, CertOC Loading Dll, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Aspnet Compiler, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Explorer Process Executing HTA File, Empire Monkey Activity, Control Panel Items, CMSTP Execution, MavInject Process Injection, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Mshta JavaScript Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
index 8638691726..5ba155ebf0 100644
--- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index b8f086bfcd..7e5fec97f0 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index a2864bc1ea..f6671a71ae 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index df71a13123..b938647942 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index 5b83ca6d2c..63b46917df 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 95647085e2..1ff2f89e3c 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub Delete Action"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub Delete Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index da6c99d085..3fac5c2261 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
index f4e35d1933..aee977d082 100644
--- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
index b2672c30ff..24f946b8d5 100644
--- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 7d3f264b86..70ccfaac8f 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index 129ca8a09d..ca64c4bf0e 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index 3580a9974e..5e77aee853 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
index 3b27c91279..11d4d5bd9f 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index d47634101a..7cd7dd13a4 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, TEHTRIS EDR Alert, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, TEHTRIS EDR Alert, PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Aspnet Compiler, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, TEHTRIS EDR Alert, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, Equation Group DLL_U Load, Explorer Process Executing HTA File, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, TEHTRIS EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, RTLO Character, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
index d7baa4b971..1ffd707901 100644
--- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index cd99ede819..290b278489 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
index 33af7aa3ba..df6af10cbd 100644
--- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
index fc4e494646..430b1ff1a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 3368a4a664..d52ced587e 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, StoneDrill Service Install, Winrshost Wrong Parent, Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Taskhost or Taskhostw Suspicious Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Rare Lsass Child Found, StoneDrill Service Install, Winrshost Wrong Parent, Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Taskhost or Taskhostw Suspicious Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Smbexec.py Service Installation, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Windows Suspicious Service Creation, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Credential Dumping Tools Service Execution, Rare Lsass Child Found, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Metasploit PSExec Service Creation, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Suspicious PsExec Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Smbexec.py Service Installation, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Windows Suspicious Service Creation, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Credential Dumping Tools Service Execution, Rare Lsass Child Found, Winrshost Wrong Parent, Check Point Harmony Mobile Application Forbidden, Windows Update LolBins, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, Metasploit PSExec Service Creation, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Taskhost or Taskhostw Suspicious Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Suspicious PsExec Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Process Herpaderping, Malicious Named Pipe, Suspicious Process Requiring DLL Starts Without DLL, CreateRemoteThread Common Process Injection, Cobalt Strike Named Pipes, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Dynwrapx Module Loading, Explorer Wrong Parent, Process Hollowing Detection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Event Subscription, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing, Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious LDAP-Attributes Used, Chafer (APT 39) Activity, Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, DNS Tunnel Technique From MuddyWater, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Autorun Keys Modification, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Ryuk Ransomware Persistence Registry Key, NjRat Registry Changes, Kernel Module Alteration, Malware Persistence Registry Key, Powershell Winlogon Helper DLL, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, Werfault DLL Injection"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Enabling Restricted Admin Mode, Active Directory User Backdoors"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Domain Trust Created Or Removed, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Kerberos Pre-Auth Disabled in UAC, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Kerberos Ticket, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, WMI DLL Loaded Via Office, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, WMI DLL Loaded Via Office, Suspicious DLL Loaded Via Office Applications, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, WMImplant Hack Tool, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Mustang Panda Dropper, WMI DLL Loaded Via Office, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Phorpiex DriveMgr Command, PowerShell Invoke Expression With Registry, Suspicious Scripting In A WMI Consumer, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious Taskkill Command, Turla Named Pipes, Sekoia.io EICAR Detection, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Detection of default Mimikatz banner, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, In-memory PowerShell, AutoIt3 Execution From Suspicious Folder, Generic-reverse-shell-oneliner, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Threat Detected, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Keywords, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Alternate PowerShell Hosts Pipe, Lazarus Loaders, Aspnet Compiler, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD User Enumeration, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, Phosphorus (APT35) Exchange Discovery, Remote Privileged Group Enumeration, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, NlTest Usage, PowerView commandlets 2, Trickbot Malware Activity, PowerView commandlets 1, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, DHCP Callout DLL Installation, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, RDP Sensitive Settings Changed, FlowCloud Malware, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, Remote Registry Management Using Reg Utility, Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious New Printer Ports In Registry, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, OceanLotus Registry Activity"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Execution From Suspicious Folder, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, Remote Registry Management Using Reg Utility, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Exclusion Configuration, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Suspicious PROCEXP152.sys File Created In Tmp, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Exclusion Configuration, ETW Tampering, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Python Opening Ports, Suspect Svchost Memory Access, Netsh Allow Command, Microsoft Defender Antivirus Disable SecurityHealth, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Tampering Detected, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, Suspicious PROCEXP152.sys File Created In Tmp, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, NetNTLM Downgrade Attack, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Disable Scheduled Tasks, Powershell AMSI Bypass, Disabled IE Security Features, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, CMSTP UAC Bypass via COM Object Access, Dynwrapx Module Loading, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Mustang Panda Dropper, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, DPAPI Domain Backup Key Extraction, Process Trace Alteration, Impacket Secretsdump.py Tool, Credential Dumping By LaZagne, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Transfering Files With Credential Data Via Network Shares, Mimikatz LSASS Memory Access, LSASS Memory Dump, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Cred Dump Tools Dropped Files, LSASS Memory Dump File Creation, Lsass Access Through WinRM, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, SAM Registry Hive Handle Request, NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Active Directory Database Dump Via Ntdsutil, WCE wceaux.dll Creation, DCSync Attack, Unsigned Image Loaded Into LSASS Process, LSASS Access From Non System Account, Suspicious CommandLine Lsassy Pattern, Active Directory Replication from Non Machine Account, Cmdkey Cached Credentials Recon, Malicious Service Installations, Copying Browser Files With Credentials, NetNTLM Downgrade Attack, Password Dumper Activity On LSASS, NTDS.dit File Interaction Through Command Line, Mimikatz Basic Commands, Load Of dbghelp/dbgcore DLL From Suspicious Process, RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Eventlog Cleared, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Secure Deletion With SDelete, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious Taskkill Command, Turla Named Pipes, Detection of default Mimikatz banner, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, In-memory PowerShell, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Keywords, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Admin User RDP Remote Logon, Account Added To A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Python Opening Ports, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Cred Dump Tools Dropped Files, LSASS Access From Non System Account, Dumpert LSASS Process Dumper, Password Dumper Activity On LSASS, Credential Dumping By LaZagne, Unsigned Image Loaded Into LSASS Process, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Mimikatz LSASS Memory Access, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Lsass Access Through WinRM, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, LSASS Memory Dump"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, Smbexec.py Service Installation, RDP Port Change Using Powershell, Admin Share Access, RDP Login From Localhost, MMC Spawning Windows Shell, Denied Access To Remote Desktop, Lateral Movement Remote Named Pipe, Lsass Access Through WinRM, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Antivirus Exploitation Framework Detection, Exploit For CVE-2015-1641, Audit CVE Event, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution, Rclone Process"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Smbexec.py Service Installation, Lateral Movement Remote Named Pipe, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump, SAM Registry Hive Handle Request"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, Download Files From Non-Legitimate TLDs, HarfangLab EDR Medium Threat, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Suspicious DLL Loaded Via Office Applications"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Critical Threat, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, HarfangLab EDR Critical Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR High Threat, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, Download Files From Non-Legitimate TLDs, HarfangLab EDR Medium Threat, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Suspicious DLL Loaded Via Office Applications"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, TOR Usage Generic Rule, Suspicious TOR Gateway, Netsh Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, SysKey Registry Keys Access, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell, Denied Access To Remote Desktop"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Chafer (APT 39) Activity, Taskhost Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Chafer (APT 39) Activity, Taskhost Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Suspicious PsExec Execution, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Metasploit PSExec Service Creation, Credential Dumping Tools Service Execution, Taskhost Wrong Parent, Malicious Service Installations, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Smbexec.py Service Installation, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Windows Suspicious Service Creation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Check Point Harmony Mobile Application Forbidden, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, Suspicious PsExec Execution, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Metasploit PSExec Service Creation, Credential Dumping Tools Service Execution, Taskhost Wrong Parent, Malicious Service Installations, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Smbexec.py Service Installation, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Windows Suspicious Service Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Cobalt Strike Named Pipes, Process Hollowing Detection, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Process Herpaderping, Smss Wrong Parent, MavInject Process Injection, CreateRemoteThread Common Process Injection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Malicious Named Pipe, Explorer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Dynamic DNS Contacted, DNS Tunnel Technique From MuddyWater, Covenant Default HTTP Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Cryptomining, Suspicious LDAP-Attributes Used, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Ryuk Ransomware Persistence Registry Key, Svchost Modification, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Ryuk Ransomware Persistence Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Malware Persistence Registry Key, Powershell Winlogon Helper DLL, NjRat Registry Changes, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, Autorun Keys Modification, Suspicious desktop.ini Action, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Linux Shared Lib Injection Via Ldso Preload, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Active Directory User Backdoors, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, GPO Executable Delivery, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC, Suspicious Outbound Kerberos Connection, Suspicious Kerberos Ticket, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, PowerShell Invoke Expression With Registry, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, WMI DLL Loaded Via Office, In-memory PowerShell, Alternate PowerShell Hosts Pipe, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, Suspicious DLL Loaded Via Office Applications, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, FromBase64String Command Line, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Detection of default Mimikatz banner, Mustang Panda Dropper, Mshta Suspicious Child Process, Venom Multi-hop Proxy agent detection, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Generic-reverse-shell-oneliner, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, Suspicious Scripting In A WMI Consumer, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell, PowerShell Malicious PowerShell Commandlets"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 2, Remote Privileged Group Enumeration, AD User Enumeration, Active Directory Data Export Using Csvde, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Remote Registry Management Using Reg Utility, DHCP Callout DLL Installation, FlowCloud Malware, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious Desktopimgdownldr Execution, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable Workstation Lock, Chafer (APT 39) Activity, RDP Port Change Using Powershell, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Remote Registry Management Using Reg Utility, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Dism Disabling Windows Defender, Ryuk Ransomware Command Line, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Disable Windows Defender Credential Guard, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Malware Protection Engine Crash, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Opening Ports, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Dism Disabling Windows Defender, FLTMC command usage, Powershell AMSI Bypass, Ryuk Ransomware Command Line, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspect Svchost Memory Access, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Disable Windows Defender Credential Guard, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, Mustang Panda Dropper, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Transfering Files With Credential Data Via Network Shares, Credential Dumping-Tools Common Named Pipes, Mimikatz LSASS Memory Access, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, LSASS Memory Dump File Creation, HackTools Suspicious Process Names In Command Line, SAM Registry Hive Handle Request, DPAPI Domain Backup Key Extraction, NTDS.dit File In Suspicious Directory, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Cred Dump Tools Dropped Files, Unsigned Image Loaded Into LSASS Process, Grabbing Sensitive Hives Via Reg Utility, LSASS Access From Non System Account, LSASS Memory Dump, Process Memory Dump Using Comsvcs, Credential Dumping By LaZagne, Password Dumper Activity On LSASS, Lsass Access Through WinRM, Mimikatz Basic Commands, Rubeus Tool Command-line, RedMimicry Winnti Playbook Dropped File, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, HackTools Suspicious Names, Credential Dumping Tools Service Execution, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, Dumpert LSASS Process Dumper, Process Trace Alteration, Wdigest Enable UseLogonCredential, Malicious Service Installations, Load Of dbghelp/dbgcore DLL From Suspicious Process, Active Directory Replication from Non Machine Account, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line, DCSync Attack, Suspicious SAM Dump"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Eventlog Cleared, Secure Deletion With SDelete, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Downgrade Attack, In-memory PowerShell, Alternate PowerShell Hosts Pipe, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, Suspicious PowerShell Keywords, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Mshta Suspicious Child Process, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Credential Prompt"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, User Added to Local Administrators"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Powershell AMSI Bypass, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Credential Dumping-Tools Common Named Pipes, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Cred Dump Tools Dropped Files, Mimikatz LSASS Memory Access, Unsigned Image Loaded Into LSASS Process, LSASS Access From Non System Account, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, LSASS Memory Dump, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Credential Dumping Tools Service Execution, Suspicious CommandLine Lsassy Pattern, Password Dumper Activity On LSASS, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Admin Share Access, Smbexec.py Service Installation, MMC Spawning Windows Shell, MMC20 Lateral Movement, RDP Login From Localhost, Protected Storage Service Access, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Download Files From Suspicious TLDs, Antivirus Exploitation Framework Detection, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Audit CVE Event, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, RedMimicry Winnti Playbook Dropped File, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, SAM Registry Hive Handle Request, Copying Sensitive Files With Credential Data, Suspicious SAM Dump"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Potential DNS Tunnel, SOCKS Tunneling Tool, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, Suspicious DLL Loaded Via Office Applications, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, Suspicious DLL Loaded Via Office Applications, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Critical Level Rule Detection, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, SysKey Registry Keys Access, Putty Sessions Listing"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index 08a29ac003..a179b17828 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, xWizard Execution, Control Panel Items, Suspicious Regasm Regsvcs Usage, CMSTP Execution, MavInject Process Injection, CertOC Loading Dll, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Aspnet Compiler, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Explorer Process Executing HTA File, Empire Monkey Activity, Control Panel Items, CMSTP Execution, MavInject Process Injection, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Mshta JavaScript Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
index 6413b95490..4693a35f13 100644
--- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index 7a68f05359..f722b12700 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index c1f80aafaf..6e7118bac6 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Lsass Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Csrss Child Found, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, PsExec Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Lsass Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, PsExec Process, Windows Update LolBins, Csrss Child Found, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Child Found, Explorer Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Child Found, Explorer Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, New Service Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Kernel Module Alteration"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Trickbot Malware Activity, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Child Found, Usage Of Procdump With Common Arguments, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Child Found, Usage Of Procdump With Common Arguments, Taskhost or Taskhostw Suspicious Child Found, Exfiltration Via Pscp, Windows Update LolBins, SolarWinds Wrong Child Process, PsExec Process, SolarWinds Suspicious File Creation, Winword wrong parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Rare Lsass Child Found, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Rare Lsass Child Found, Rare Logonui Child Found"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Potential DNS Tunnel, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index 87efac8500..b19f378c2b 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, xWizard Execution, Control Panel Items, Suspicious Regasm Regsvcs Usage, CMSTP Execution, MavInject Process Injection, CertOC Loading Dll, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification, Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Aspnet Compiler, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Explorer Process Executing HTA File, Empire Monkey Activity, Control Panel Items, CMSTP Execution, MavInject Process Injection, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Mshta JavaScript Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index 7aeacbb900..559ccfa4f6 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index 2be59d5123..aa2d2a8ddf 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Cybereason EDR Alert"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Alert, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Microsoft Office Creating Suspicious File, Cybereason EDR Alert"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Cybereason EDR Alert"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Cybereason EDR Alert, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Microsoft Office Creating Suspicious File, Cybereason EDR Alert"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index 50b51e76c3..380a754e9a 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 5d412a756b..8055b983bd 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index d7ba0479b8..46b0c3df3e 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Disable Task Manager Through Registry Key, Netsh RDP Port Forwarding, Netsh Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Cryptomining, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Python HTTP Server, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Commands Invocation, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Python HTTP Server, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, DNS Exfiltration and Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Potential DNS Tunnel"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index 82fb4fb7f7..cb0566b36a 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index 818ba68511..d54bcc9126 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
index a1f929ee2e..ca3ad1cce0 100644
--- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index 985c6115ae..bfcfd66de9 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
index e0debc6194..81bd4652c1 100644
--- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index cce63b228a..53490238b5 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
index 3f64bc6503..8048475141 100644
--- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index 49fff928b2..9a7980ca54 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, xWizard Execution, Control Panel Items, Suspicious Regasm Regsvcs Usage, CMSTP Execution, MavInject Process Injection, CertOC Loading Dll, Empire Monkey Activity, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One High Intrusion"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Aspnet Compiler, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Explorer Process Executing HTA File, Empire Monkey Activity, Control Panel Items, CMSTP Execution, MavInject Process Injection, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Mshta JavaScript Execution, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Low Intrusion"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index fb59c4409c..587a612f3d 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 3369e37eeb..f4963cf5e4 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Trellix Network Security Threat Notified, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Trellix Network Security Threat Blocked, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Trellix Network Security Threat Blocked, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Trellix Network Security Threat Notified, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 82c4d48123..5e19f69f67 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential LokiBot User-Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index 77e144e6ad..e15a6248f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index c3e6bdd3ad..90899510fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 7038283ab4..d253d227e5 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Winrshost Wrong Parent, Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Wininit Wrong Parent, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Winrshost Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Powershell Winlogon Helper DLL, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Leviathan Registry Key Activity"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Chafer (APT 39) Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, WMImplant Hack Tool, Suspicious XOR Encoded PowerShell Command Line, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Socat Relaying Socket, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Phorpiex DriveMgr Command, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Interactive Terminal Spawned via Python, Microsoft Office Spawning Script, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, Socat Reverse Shell Detection, PowerShell Credential Prompt, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sekoia.io EICAR Detection, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Threat Detected, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Keywords, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, NlTest Usage, PowerView commandlets 2, Trickbot Malware Activity, PowerView commandlets 1, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, SELinux Disabling, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, SELinux Disabling, ETW Tampering, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Disable SecurityHealth, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Powershell AMSI Bypass, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, HackTools Suspicious Names, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: WMImplant Hack Tool, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Keywords, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Account Added To A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Relaying Socket, Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Chafer (APT 39) Activity, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Chafer (APT 39) Activity, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Powershell Winlogon Helper DLL, Autorun Keys Modification, Suspicious desktop.ini Action"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, PowerShell Invoke Expression With Registry, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Python Offensive Tools and Packages, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Credential Prompt, Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Keywords, AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, FromBase64String Command Line, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Mshta Suspicious Child Process, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Generic-reverse-shell-oneliner, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell, PowerShell Malicious PowerShell Commandlets"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, PowerView commandlets 2, Active Directory Data Export Using Csvde, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, PowerView commandlets 1, PowerView commandlets 2, Phosphorus Domain Controller Discovery, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, Chafer (APT 39) Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Services, Dism Disabling Windows Defender, FLTMC command usage, Powershell AMSI Bypass, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Keywords, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, Mshta Suspicious Child Process, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell NTFS Alternate Data Stream, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Credential Prompt"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Rubeus Register New Logon Process, Possible Replay Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Potential DNS Tunnel, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Powershell AMSI Bypass, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement, RDP Login From Localhost"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index d3a8d18bac..c88416a101 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
index 5f2219c9ca..f03f16146a 100644
--- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
index 451ced834f..79507f798b 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
index b97432d405..c67fa1da49 100644
--- a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index 3771641ca0..2df165603c 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS New Country, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Filter Policy Removed, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Uploaded On SharePoint"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Email Attachment Received, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS Repeated Failed Login, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Suspicious Email Attachment Received, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS New Country, Download Files From Suspicious TLDs, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Repeated Delete, Suspicious Double Extension, Microsoft 365 (Office 365) Malware Filter Policy Removed, Possible Malicious File Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Uploaded On SharePoint"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Filter Policy Removed, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) AtpDetection, Download Files From Suspicious TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Filter Policy Removed, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Suspicious Email Attachment Received, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Possible Malicious File Double Extension, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) AtpDetection, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index cbb341279c..f484561c5b 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
index a5a85713b9..740e51891d 100644
--- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 7f9f035811..b6f1fd616f 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 6099557330..665123f432 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 8e64801bed..33af45a738 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, Backup Catalog Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Important Change, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Remove Flow logs, AWS CloudTrail Config Disable Channel/Recorder, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail Disable MFA, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, AWS CloudTrail EC2 Startup Script Changed, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Attempt, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Root ConsoleLogin"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Root ConsoleLogin"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Disable MFA, AWS CloudTrail Important Change, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM ChangePassword"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted, Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Important Change, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM ChangePassword"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Root ConsoleLogin"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Root ConsoleLogin"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail Disable MFA, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Important Change, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM ChangePassword"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index d52e7be09e..011eb3472e 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Sliver DNS Beaconing, Cryptomining, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Sliver DNS Beaconing, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index b3b558784c..264f1ef511 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index da1f1989a0..9c4cdeab2a 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index f7ccb07d9c..9ed211d667 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index 597231879c..31d14b82b2 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
index 3614727199..94a7967d4b 100644
--- a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index 08f122f0d4..4906ad4d04 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Sliver DNS Beaconing, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Zscaler ZIA Suspicious Threat, Zscaler ZIA Malicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Zscaler ZIA Suspicious Threat, Zscaler ZIA Malicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Sliver DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
index 78eb7e2587..f6419c2235 100644
--- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index 3e1c8b90e2..1ee579fc66 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index 7e4bc06e26..57ed474bcf 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index e102d660c5..8b23a2c153 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365 And Not Blocked, SEKOIA.IO Intelligence Feed, Phishing Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365, Scam Detected By Vade For M365, Phishing Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 06728bc01a..f96ed89e90 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta MFA Disabled, Okta Network Zone Deleted, Okta Security Threat Configuration Updated, Okta Network Zone Deactivated, Okta Blacklist Manipulations"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Application deleted, Okta User Account Deactivated, Okta Admin Privilege Granted, Okta Application modified, Okta User Impersonation Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta MFA Disabled, Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Blacklist Manipulations, Okta Network Zone Deleted, Okta Security Threat Configuration Updated"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta User Account Deactivated, Okta Application modified, Okta Application deleted, Okta User Impersonation Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deleted, Okta Network Zone Deactivated"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
index ebee3b7684..599ba1c4fe 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index a56cfb8b6c..804bc8fe6c 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Socat Relaying Socket, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Interactive Terminal Spawned via Python, Socat Reverse Shell Detection, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Microsoft Office Creating Suspicious File, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, ETW Tampering, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Relaying Socket, Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, PowerShell Download From URL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, Lazarus Loaders, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, Equation Group DLL_U Load, Explorer Process Executing HTA File, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Erase Shell History, Clear EventLogs Through CommandLine, Compression Followed By Suppression, ETW Tampering, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
index ed3861e99e..82ebdece55 100644
--- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index e173fdb467..5a362d4595 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
index 69fd680252..d5f3008458 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index 7e01beb5e9..d16681f8a1 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
index adc62f5813..72f61336f3 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index 363a285fd0..3b22cd7b29 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index c1107f11a1..e84dc6ad2c 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index afe9511079..f9e872a329 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, New Service Creation, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Lsass Child Found, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Userinit Wrong Parent, Winword wrong parent, Svchost Wrong Parent, Taskhost Wrong Parent, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Sysinternals Tools, Dllhost Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Lsass Child Found, Windows Update LolBins, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Logonui Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Searchindexer Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Trickbot Malware Activity, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Linux Bash Reverse Shell, PowerShell Download From URL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Windows Script Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Generic-reverse-shell-oneliner, Sekoia.io EICAR Detection, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Threat Detected, QakBot Process Creation, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Windows Installer Execution, xWizard Execution, MOFComp Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, CertOC Loading Dll, Suspicious Regsvr32 Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Elise Backdoor, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Debugging Software Deactivation, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allow Command, Suspicious Driver Loaded, FLTMC command usage, Disable Task Manager Through Registry Key, Dism Disabling Windows Defender, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, Netsh Allowed Python Program, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Raccine Uninstall, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Stormshield Ses Critical Block, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, Stormshield Ses Emergency Block, Stormshield Ses Critical Not Block, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Wrong Parent, Lsass Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Wrong Parent, Windows Update LolBins, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, PsExec Process, Smss Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, Dllhost Wrong Parent, Userinit Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Csrss Wrong Parent, Lsass Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell Commands Invocation, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, Suspicious VBS Execution Parameter, PowerShell Downgrade Attack, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Aspnet Compiler, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Download From URL, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Sekoia.io EICAR Detection, AutoIt3 Execution From Suspicious Folder, Lazarus Loaders, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Outlook Child Process, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, QakBot Process Creation, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious CodePage Switch with CHCP, Phorpiex DriveMgr Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Suspicious Taskkill Command, Linux Bash Reverse Shell"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: OceanLotus Registry Activity, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Mshta JavaScript Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Explorer Process Executing HTA File, MOFComp Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Control Panel Items, Suspicious Mshta Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Suspicious Control Process, PowerShell Execution Via Rundll32, xWizard Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Elise Backdoor, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, FLTMC command usage, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Package Manager Alteration, Debugging Software Deactivation, Windows Firewall Changes, Disable Task Manager Through Registry Key, Suspicious Driver Loaded, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Fail2ban Unban IP, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Rubeus Tool Command-line, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Stormshield Ses Emergency Block, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Download Files From Suspicious TLDs, Stormshield Ses Critical Not Block, Exploit For CVE-2015-1641, Stormshield Ses Critical Block, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
index f210b1307c..714f47deed 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index 0c0660c6d8..6b0aaa3e5d 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
index 3d551fb8ff..695c8d3d08 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index eac67f1d7e..5fa858d61f 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Changelog _last update on 2024-07-01_
+Changelog _last update on 2024-07-02_
 
 ## Changelog
 
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 6c122477b1..bdf34c4fe8 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **891 built-in detection rules** ([_last update on 2024-07-01_](rules_changelog.md)).
+Rules catalog includes **894 built-in detection rules** ([_last update on 2024-07-02_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Identity Information**
 
@@ -629,6 +629,12 @@ Rules catalog includes **891 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** intermediate
     
+??? abstract "Google Workspace Account Warning"
+    
+    Detects a suspicious login, leaked password, or account disabled following suspicious activity.
+    
+    - **Effort:** elementary
+    
 ??? abstract "Google Workspace Admin Creation"
     
     Detects when an admin is created or when his role is changed.
@@ -1955,6 +1961,12 @@ Rules catalog includes **891 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** elementary
     
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+    
 ??? abstract "PowerShell Credential Prompt"
     
     Detects PowerShell calling a credential prompt (using PromptForCredential), like $Credential = $host.ui.PromptForCredential("Need credentials", "Please enter your user name and password.", "", "NetBiosUserName"). The same result can be obtained by using the Get-Credential function but detecting it will trigger a lot of FP.
@@ -4461,6 +4473,12 @@ Rules catalog includes **891 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** intermediate
     
+??? abstract "Google Workspace Account Warning"
+    
+    Detects a suspicious login, leaked password, or account disabled following suspicious activity.
+    
+    - **Effort:** elementary
+    
 ??? abstract "Google Workspace Admin Creation"
     
     Detects when an admin is created or when his role is changed.
@@ -6153,6 +6171,12 @@ Rules catalog includes **891 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** intermediate
     
+??? abstract "Google Workspace Account Warning"
+    
+    Detects a suspicious login, leaked password, or account disabled following suspicious activity.
+    
+    - **Effort:** elementary
+    
 ??? abstract "Google Workspace Admin Creation"
     
     Detects when an admin is created or when his role is changed.
@@ -7719,6 +7743,12 @@ Rules catalog includes **891 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** advanced
     
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+    
 ??? abstract "ETW Tampering"
     
     Detects a command that clears or disables any ETW Trace log which could indicate a logging evasion
@@ -7899,6 +7929,12 @@ Rules catalog includes **891 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** intermediate
     
+??? abstract "Google Workspace Account Warning"
+    
+    Detects a suspicious login, leaked password, or account disabled following suspicious activity.
+    
+    - **Effort:** elementary
+    
 ??? abstract "Google Workspace Admin Creation"
     
     Detects when an admin is created or when his role is changed.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
index 47485c6b58..d4cd29cf74 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
@@ -327,6 +327,12 @@ The following Sekoia.io built-in rules match the intake **Google Kubernetes Engi
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell EncodedCommand"
     
     Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
index bd8544dbc1..f6e666c43f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
@@ -687,6 +687,12 @@ The following Sekoia.io built-in rules match the intake **Elastic AuditBeat Linu
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
index 128a85654b..b0d7aff45d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
@@ -219,6 +219,12 @@ The following Sekoia.io built-in rules match the intake **WithSecure Elements**.
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -867,6 +873,12 @@ The following Sekoia.io built-in rules match the intake **WithSecure Elements**.
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
index 48a6bba120..b672c39785 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
@@ -987,6 +987,12 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 Defender
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
index 7f4b5e6ad3..cf8bb0677f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
@@ -243,6 +243,12 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Apex One**
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -861,6 +867,12 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Apex One**
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
index 56752ca164..f2b4a740a4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
@@ -471,6 +471,12 @@ The following Sekoia.io built-in rules match the intake **SentinelOne EDR**. Thi
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell EncodedCommand"
     
     Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
index 94df94fdc8..36a1ea7d4d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
@@ -831,6 +831,12 @@ The following Sekoia.io built-in rules match the intake **Cybereason EDR activit
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
index fd03b118f1..6657dd6f95 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
@@ -903,6 +903,12 @@ The following Sekoia.io built-in rules match the intake **Crowdstrike Falcon Tel
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
index c2dbcfa5a0..6f4f9252ab 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
@@ -381,6 +381,12 @@ The following Sekoia.io built-in rules match the intake **RSA SecurID**. This do
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell EncodedCommand"
     
     Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
index e0beb096da..b4f4b40659 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
@@ -975,6 +975,12 @@ The following Sekoia.io built-in rules match the intake **CrowdStrike Falcon**.
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
index 715d53a7fb..d9aa072308 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
@@ -387,6 +387,12 @@ The following Sekoia.io built-in rules match the intake **Sekoia.io Endpoint Age
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copy Of Legitimate System32 Executable"
     
     A script has copied a System32 executable.
@@ -1599,6 +1605,12 @@ The following Sekoia.io built-in rules match the intake **Sekoia.io Endpoint Age
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Credential Prompt"
     
     Detects PowerShell calling a credential prompt (using PromptForCredential), like $Credential = $host.ui.PromptForCredential("Need credentials", "Please enter your user name and password.", "", "NetBiosUserName"). The same result can be obtained by using the Get-Credential function but detecting it will trigger a lot of FP.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.md
index b44bcc6fde..643de3074f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.md
@@ -3,6 +3,12 @@
 The following Sekoia.io built-in rules match the intake **Kaspersky Endpoint Security**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Kaspersky Endpoint Security on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json){ .md-button }
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Cron Files Alteration"
     
     Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
index 0978b63985..9fe2b36f06 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
@@ -1065,6 +1065,12 @@ The following Sekoia.io built-in rules match the intake **Azure Windows**. This
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
index 5525c327ec..9ee471ffe4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
@@ -357,6 +357,12 @@ The following Sekoia.io built-in rules match the intake **VMware ESXi**. This do
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell EncodedCommand"
     
     Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
index a111169a17..1f7a1ea8d8 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
@@ -243,6 +243,12 @@ The following Sekoia.io built-in rules match the intake **HarfangLab EDR**. This
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -1161,6 +1167,12 @@ The following Sekoia.io built-in rules match the intake **HarfangLab EDR**. This
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
index 417edd1761..d7f6f3af85 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
@@ -1017,6 +1017,12 @@ The following Sekoia.io built-in rules match the intake **SentinelOne Cloud Funn
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
index fe19d7db31..7534683f84 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
@@ -213,6 +213,12 @@ The following Sekoia.io built-in rules match the intake **Cisco NX-OS**. This do
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -813,6 +819,12 @@ The following Sekoia.io built-in rules match the intake **Cisco NX-OS**. This do
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md
index 9c60ca9180..577045b5d6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md
@@ -201,6 +201,12 @@ The following Sekoia.io built-in rules match the intake **Tanium**. This documen
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -927,6 +933,12 @@ The following Sekoia.io built-in rules match the intake **Tanium**. This documen
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
index 794bcbcfb1..6c93b79a7e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
@@ -339,6 +339,12 @@ The following Sekoia.io built-in rules match the intake **WALLIX Bastion**. This
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell EncodedCommand"
     
     Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
index 88f76bcbab..bf8100d271 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
@@ -687,6 +687,12 @@ The following Sekoia.io built-in rules match the intake **Stormshield SNS**. Thi
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md
index 3ab94955a1..a7ed8a536c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md
@@ -3,6 +3,12 @@
 The following Sekoia.io built-in rules match the intake **Varonis Data Security**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Varonis Data Security on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json){ .md-button }
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Cron Files Alteration"
     
     Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
index c556e8a3e6..81bfd2f56e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
@@ -843,6 +843,12 @@ The following Sekoia.io built-in rules match the intake **TEHTRIS EDR**. This do
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
index e3d652d143..8a41536b03 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
@@ -93,6 +93,12 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Cron Files Alteration"
     
     Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
index 014352da19..9e04204a69 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
@@ -447,6 +447,12 @@ The following Sekoia.io built-in rules match the intake **Windows**. This docume
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copy Of Legitimate System32 Executable"
     
     A script has copied a System32 executable.
@@ -1803,6 +1809,12 @@ The following Sekoia.io built-in rules match the intake **Windows**. This docume
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Credential Prompt"
     
     Detects PowerShell calling a credential prompt (using PromptForCredential), like $Credential = $host.ui.PromptForCredential("Need credentials", "Please enter your user name and password.", "", "NetBiosUserName"). The same result can be obtained by using the Get-Credential function but detecting it will trigger a lot of FP.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md
index ffdfe54618..528f60ba96 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md
@@ -675,6 +675,12 @@ The following Sekoia.io built-in rules match the intake **Trellix EDR [ALPHA]**.
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
index 100eb0241e..caf7b5b674 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
@@ -939,6 +939,12 @@ The following Sekoia.io built-in rules match the intake **Sophos Analysis Threat
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.md
index ea12feefa8..aeca01012a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.md
@@ -195,6 +195,12 @@ The following Sekoia.io built-in rules match the intake **Palo Alto Cortex XDR (
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -813,6 +819,12 @@ The following Sekoia.io built-in rules match the intake **Palo Alto Cortex XDR (
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
index ddb876f9fe..8899b9b681 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
@@ -627,6 +627,12 @@ The following Sekoia.io built-in rules match the intake **F5 BIG-IP**. This docu
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell EncodedCommand"
     
     Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
index 897579770f..694c935202 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
@@ -207,6 +207,12 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Cloud One
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -783,6 +789,12 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Cloud One
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
index 553b754cee..9e04db0224 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
@@ -291,6 +291,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copy Of Legitimate System32 Executable"
     
     A script has copied a System32 executable.
@@ -1197,6 +1203,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Credential Prompt"
     
     Detects PowerShell calling a credential prompt (using PromptForCredential), like $Credential = $host.ui.PromptForCredential("Need credentials", "Please enter your user name and password.", "", "NetBiosUserName"). The same result can be obtained by using the Get-Credential function but detecting it will trigger a lot of FP.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
index 385b80acbc..87e4a3a0ba 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
@@ -33,6 +33,12 @@ The following Sekoia.io built-in rules match the intake **Netskope**. This docum
     
     - **Effort:** intermediate
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Cron Files Alteration"
     
     Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
index 0a7b3809c8..c578e5ce3e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
@@ -195,6 +195,12 @@ The following Sekoia.io built-in rules match the intake **IBM AIX**. This docume
     
     - **Effort:** advanced
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -765,6 +771,12 @@ The following Sekoia.io built-in rules match the intake **IBM AIX**. This docume
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
index 041a61cfad..fcf71a9f66 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
@@ -153,6 +153,12 @@ The following Sekoia.io built-in rules match the intake **SonicWall Firewall**.
     
     - **Effort:** master
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Cron Files Alteration"
     
     Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
index 5ec66a2346..2fe1024be4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
@@ -1065,6 +1065,12 @@ The following Sekoia.io built-in rules match the intake **Stormshield SES**. Thi
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Commands Invocation"
+    
+    Detects the execution to invoke a powershell command. This was used in an intrusion using Gootloader to access Mimikatz.
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
index fb22215c84..ae4564f65b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
@@ -69,6 +69,12 @@ The following Sekoia.io built-in rules match the intake **IBM iSeries [BETA]**.
     
     - **Effort:** master
 
+??? abstract "Cookies Deletion"
+    
+    Detects when cookies are deleted by a suspicious process.
+    
+    - **Effort:** master
+
 ??? abstract "Cron Files Alteration"
     
     Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 90eb226da1..e13642d393 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
 # Built-in detection rules, EventIDs and EventProviders relations
 SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-07-01_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-07-02_
 
 The colors of the EventIDs in this page should be interpreted as follow:
 
@@ -126,6 +126,7 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | Domain Trust Created Or Removed | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706' style='color: inherit;'>4706</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707' style='color: inherit;'>4707</a></span> | Microsoft-Windows-Security-Auditing |
 | PowerShell Malicious Nishang PowerShell Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | WMIC Command To Determine The Antivirus | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462">4104</span> | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| PowerShell Commands Invocation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 | Cmd.exe Used To Run Reconnaissance Commands | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | WMI Persistence Script Event Consumer File Write | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
 | OneNote Suspicious Children Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
@@ -482,18 +483,18 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | Microsoft Office Startup Add-In | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
 
 ## EventIDs occurences in rules
-| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 468) |
+| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 469) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| 1 | 224 | 47.86 % |
-| 13 | 46 | 9.83 % |
-| 4104 | 43 | 9.19 % |
-| 5 | 21 | 4.49 % |
-| 11 | 20 | 4.27 % |
-| 7 | 15 | 3.21 % |
+| 1 | 225 | 47.97 % |
+| 13 | 46 | 9.81 % |
+| 4104 | 43 | 9.17 % |
+| 5 | 21 | 4.48 % |
+| 11 | 20 | 4.26 % |
+| 7 | 15 | 3.2 % |
 | 7045 | 11 | 2.35 % |
-| 5145 | 10 | 2.14 % |
-| 15 | 10 | 2.14 % |
-| 4688 | 7 | 1.5 % |
+| 5145 | 10 | 2.13 % |
+| 15 | 10 | 2.13 % |
+| 4688 | 7 | 1.49 % |
 | 17 | 6 | 1.28 % |
 | 3 | 6 | 1.28 % |
 | 5136 | 6 | 1.28 % |
@@ -562,12 +563,12 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | 4741 | 1 | 0.21 % |
 
 ## EventProviders occurences in rules
-| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 468) |
+| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 469) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| Microsoft-Windows-Sysmon | 291 | 62.18 % |
-| Microsoft-Windows-Security-Auditing | 76 | 16.24 % |
-| Microsoft-Windows-PowerShell | 46 | 9.83 % |
-| Kernel-Process | 34 | 7.26 % |
+| Microsoft-Windows-Sysmon | 291 | 62.05 % |
+| Microsoft-Windows-Security-Auditing | 76 | 16.2 % |
+| Microsoft-Windows-PowerShell | 46 | 9.81 % |
+| Kernel-Process | 35 | 7.46 % |
 | Service Control Manager | 11 | 2.35 % |
 | Microsoft-Windows-Windows Defender | 9 | 1.92 % |
 | Microsoft-Windows-Kernel-File | 5 | 1.07 % |
@@ -586,9 +587,9 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | Microsoft-Windows-DNS-Client | 1 | 0.21 % |
 
 ## EffortLevel x EventIDs
-| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 468 |
+| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 469 |
 | ------------ | -------- | ----------------------- | ------------------------------------------------------- |
-| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4728, 4729, 4732, 4743, 5007, 5140, 5145, 64, 7, 79016668, 8001, 83820799, 98 | 92 | 19.66 % |
-| advanced | 1, 10, 11, 1116, 1127, 13, 15, 17, 21, 22, 23, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 5, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 118 | 25.21 % |
-| intermediate | 1, 10, 1000, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4662, 4663, 4688, 4697, 4698, 47, 4720, 4738, 4741, 4768, 4794, 4799, 4825, 5, 5136, 5145, 524, 6, 7, 7045 | 170 | 36.32 % |
-| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4663, 4688, 4697, 4704, 4720, 4738, 5, 5136, 7, 7045, 8 | 88 | 18.8 % |
\ No newline at end of file
+| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4728, 4729, 4732, 4743, 5007, 5140, 5145, 64, 7, 79016668, 8001, 83820799, 98 | 92 | 19.62 % |
+| advanced | 1, 10, 11, 1116, 1127, 13, 15, 17, 21, 22, 23, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 5, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 119 | 25.37 % |
+| intermediate | 1, 10, 1000, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4662, 4663, 4688, 4697, 4698, 47, 4720, 4738, 4741, 4768, 4794, 4799, 4825, 5, 5136, 5145, 524, 6, 7, 7045 | 170 | 36.25 % |
+| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4663, 4688, 4697, 4704, 4720, 4738, 5, 5136, 7, 7045, 8 | 88 | 18.76 % |
\ No newline at end of file